Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization
|
|
|
- Marylou Garrison
- 6 years ago
- Views:
Transcription
1 Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 21st USENIX Security Symposium Bellevue, WA, USA August 8-10, / 19
2 Kernel-level Exploitation Kernel-level exploitation increasingly gaining momentum. Many exploits available for Windows, Linux, BSD, Mac OS X, ios. Plenty of memory error vulnerabilities to choose from. Plethora of internet-connected users running the same kernel version. Many attack opportunities for both local and remote exploits. 2 / 19
3 Existing Countermeasures Preserving kernel code integrity [SecVisor, NICKLE, hvmharvard]. Kernel hook protection [HookSafe, HookScout, Indexed hooks]. Control-flow integrity [SBCFI]. No comprehensive memory error protection. Virtualization support required, high overhead. 3 / 19
4 Address Space Randomization Well-established defense mechanism against memory error exploits. Application-level support in all the major operating systems. The operating system itself typically not randomized at all. Only recent Windows releases perform basic text randomization. Goal: Fine-grained ASR for operating systems. 4 / 19
5 Challenges in OS-level ASR Instrumentation 5 / 19
6 Challenges in OS-level ASR Rerandomization 5 / 19
7 Challenges in OS-level ASR Information leakage 5 / 19
8 Challenges in OS-level ASR Brute forcing 5 / 19
9 A Design for OS-level ASR Make both location and layout of memory objects unpredictable. LLVM-based link-time transformations for safe and efficient ASR. Minimal amount of untrusted code exposed to the runtime. Live rerandomization to maximize unobservability of the system. No changes in the software distribution model. 6 / 19
10 Architecture 7 / 19
11 Code Randomization Original function (LLVM IR) 8 / 19
12 Code Randomization Randomize function location 8 / 19
13 Code Randomization Add random-sized padding 8 / 19
14 Code Randomization Basic block shifting 8 / 19
15 Static Data Randomization Original variable and type (LLVM IR) 9 / 19
16 Static Data Randomization Randomize variable location 9 / 19
17 Static Data Randomization Add random-sized padding 9 / 19
18 Static Data Randomization Internal layout randomization 9 / 19
19 Stack Randomization Stack frame Previous frame Parameters Return address Saved base pointer Local variables New stack frame Previous frame Inter-frame padding Parameters Return address Saved base pointer Nonbuffer variables Intra-frame padding Buffer variables 10 / 19
20 Dynamic Data Randomization Support for malloc()/mmap()-like allocator abstractions. Memory mapped regions are fully randomized. Heap allocations are interleaved with random-sized padding. Full heap randomization enforced at live rerandomization time. ILR for all the dynamically allocated memory objects. 11 / 19
21 Live Rerandomization First stateful live rerandomization technique. Periodically rerandomize the memory address space layout. Support arbitrary memory layout changes at rerandomization time. Support all the standard C idioms with minimal manual effort. Sandbox the rerandomization code to recover from run-time errors. 12 / 19
22 ASRR Transformations 13 / 19
23 ASRR Metadata Types Global variables Static variables String constants Functions Dynamic memory allocations 14 / 19
24 The Rerandomization Process 15 / 19
25 The Rerandomization Process 15 / 19
26 The Rerandomization Process 15 / 19
27 The Rerandomization Process 15 / 19
28 The Rerandomization Process 15 / 19
29 The Rerandomization Process 15 / 19
30 The Rerandomization Process 15 / 19
31 The Rerandomization Process 15 / 19
32 ASR Performance Normalized execution time ASR instrumentation ASR+ASRR instrumentation gcc perlbench bzip2 devtools SPEC average sphinx3 lbm h264ref libquantum sjeng hmmer gobmk milc mcf 16 / 19
33 ASRR Performance SPEC CPU 2006 benchmarks devtools benchmark Runtime overhead (%) Rerandomization latency (s) 17 / 19
34 Summary A new fine-grained ASR technique for operating systems. Better performance and security than prior ASR solutions. Live rerandomization and ILR to counter information leakage. No heavyweight instrumentation exposed to the runtime. Process-based isolation to recover from run-time ASRR errors. 18 / 19
35 Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Thank you! Any questions?, Anton Kuijsten, Andy Tanenbaum Vrije Universiteit Amsterdam
Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring
NDSS 2012 Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring Donghai Tian 1,2, Qiang Zeng 2, Dinghao Wu 2, Peng Liu 2 and Changzhen Hu 1 1 Beijing Institute of Technology
Resource-Conscious Scheduling for Energy Efficiency on Multicore Processors
Resource-Conscious Scheduling for Energy Efficiency on Andreas Merkel, Jan Stoess, Frank Bellosa System Architecture Group KIT The cooperation of Forschungszentrum Karlsruhe GmbH and Universität Karlsruhe
Lightweight Memory Tracing
Lightweight Memory Tracing Mathias Payer*, Enrico Kravina, Thomas Gross Department of Computer Science ETH Zürich, Switzerland * now at UC Berkeley Memory Tracing via Memlets Execute code (memlets) for
Balancing DRAM Locality and Parallelism in Shared Memory CMP Systems
Balancing DRAM Locality and Parallelism in Shared Memory CMP Systems Min Kyu Jeong, Doe Hyun Yoon^, Dam Sunwoo*, Michael Sullivan, Ikhwan Lee, and Mattan Erez The University of Texas at Austin Hewlett-Packard
A Fast Instruction Set Simulator for RISC-V
A Fast Instruction Set Simulator for RISC-V Maxim.Maslov@esperantotech.com Vadim.Gimpelson@esperantotech.com Nikita.Voronov@esperantotech.com Dave.Ditzel@esperantotech.com Esperanto Technologies, Inc.
CS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines
CS377P Programming for Performance Single Thread Performance Out-of-order Superscalar Pipelines Sreepathi Pai UTCS September 14, 2015 Outline 1 Introduction 2 Out-of-order Scheduling 3 The Intel Haswell
HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities
HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities Jason Gionta, William Enck, Peng Ning 1 JIT-ROP 2 Two Attack Categories Injection Attacks Code Integrity Data
High System-Code Security with Low Overhead
High System-Code Security with Low Overhead Jonas Wagner, Volodymyr Kuznetsov, George Candea, and Johannes Kinder École Polytechnique Fédérale de Lausanne Royal Holloway, University of London High System-Code
HA2lloc: Hardware-Assisted Secure Allocator
HA2lloc: Hardware-Assisted Secure Allocator Orlando Arias, Dean Sullivan, Yier Jin {oarias,dean.sullivan}@knights.ucf.edu yier.jin@ece.ufl.edu University of Central Florida University of Florida June 25,
Back to the Future: Fault-tolerant Live Update with Time-traveling State Transfer
Back to the Future: Fault-tolerant Live Update with Time-traveling State Transfer Călin Iorgulescu Anton Kuijsten Andrew S. Tanenbaum Vrije Universiteit Amsterdam 27th USENIX Large Installation System
NightWatch: Integrating Transparent Cache Pollution Control into Dynamic Memory Allocation Systems
NightWatch: Integrating Transparent Cache Pollution Control into Dynamic Memory Allocation Systems Rentong Guo 1, Xiaofei Liao 1, Hai Jin 1, Jianhui Yue 2, Guang Tan 3 1 Huazhong University of Science
Fast, precise dynamic checking of types and bounds in C
Fast, precise dynamic checking of types and bounds in C Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge p.1 Tool wanted if (obj >type == OBJ COMMIT) { if (process commit(walker,
Improving Cache Performance by Exploi7ng Read- Write Disparity. Samira Khan, Alaa R. Alameldeen, Chris Wilkerson, Onur Mutlu, and Daniel A.
Improving Cache Performance by Exploi7ng Read- Write Disparity Samira Khan, Alaa R. Alameldeen, Chris Wilkerson, Onur Mutlu, and Daniel A. Jiménez Summary Read misses are more cri?cal than write misses
Practical Automated Vulnerability Monitoring Using Program State Invariants
Practical Automated Vulnerability Monitoring Using Program State Invariants Cristiano Giuffrida Vrije Universiteit Amsterdam giuffrida@cs.vu.nl Lorenzo Cavallaro Royal Holloway, University of London lorenzo.cavallaro@rhul.ac.uk
Footprint-based Locality Analysis
Footprint-based Locality Analysis Xiaoya Xiang, Bin Bao, Chen Ding University of Rochester 2011-11-10 Memory Performance On modern computer system, memory performance depends on the active data usage.
What run-time services could help scientific programming?
1 What run-time services could help scientific programming? Stephen Kell stephen.kell@cl.cam.ac.uk Computer Laboratory University of Cambridge Contrariwise... 2 Some difficulties of software performance!
secubt Hacking the Hackers with User Space Virtualization
secubt Hacking the Hackers with User Space Virtualization Mathias Payer Mathias Payer: secubt User Space Virtualization 1 Motivation Virtualizing and encapsulating running programs
Preventing Use-after-free with Dangling Pointers Nullification
Preventing Use-after-free with Dangling Pointers Nullification Byoungyoung Lee, Chengyu Song, Yeongjin Jang Tielei Wang, Taesoo Kim, Long Lu, Wenke Lee Georgia Institute of Technology Stony Brook University
Leakage-Resilient Layout Randomization for Mobile Devices
Leakage-Resilient Layout Randomization for Mobile Devices Kjell Braden, Stephen Crane, Lucas Davi, Michael Franz Per Larsen, Christopher Liebchen, Ahmad-Reza Sadeghi, CASED/Technische Universität Darmstadt,
What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon
What You See is Not What You Get! Thwarting Just-in-Time ROP with Chameleon Ping Chen, Jun Xu, Zhisheng Hu, Xinyu Xing, Minghui Zhu, Bing Mao, Peng Liu College of Information Sciences and Technology, The
A Comparison of Capacity Management Schemes for Shared CMP Caches
A Comparison of Capacity Management Schemes for Shared CMP Caches Carole-Jean Wu and Margaret Martonosi Princeton University 7 th Annual WDDD 6/22/28 Motivation P P1 P1 Pn L1 L1 L1 L1 Last Level On-Chip
Fine-Grained User-Space Security Through Virtualization
Fine-Grained User-Space Security Through Virtualization Mathias Payer mathias.payer@inf.ethz.ch ETH Zurich, Switzerland Thomas R. Gross trg@inf.ethz.ch ETH Zurich, Switzerland Abstract This paper presents
HDFI: Hardware-Assisted Data-flow Isolation
HDFI: Hardware-Assisted Data-flow Isolation Presented by Ben Schreiber Chengyu Song 1, Hyungon Moon 2, Monjur Alam 1, Insu Yun 1, Byoungyoung Lee 1, Taesoo Kim 1, Wenke Lee 1, Yunheung Paek 2 1 Georgia
Protecting Dynamic Code by Modular Control-Flow Integrity
Protecting Dynamic Code by Modular Control-Flow Integrity Gang Tan Department of CSE, Penn State Univ. At International Workshop on Modularity Across the System Stack (MASS) Mar 14 th, 2016, Malaga, Spain
Sandbox Based Optimal Offset Estimation [DPC2]
![Sandbox Based Optimal Offset Estimation [DPC2]](/thumbs/95/122594335.jpg "Sandbox Based Optimal Offset Estimation [DPC2]")
Sandbox Based Optimal Offset Estimation [DPC2] Nathan T. Brown and Resit Sendag Department of Electrical, Computer, and Biomedical Engineering Outline Motivation Background/Related Work Sequential Offset
Energy-centric DVFS Controlling Method for Multi-core Platforms
Energy-centric DVFS Controlling Method for Multi-core Platforms Shin-gyu Kim, Chanho Choi, Hyeonsang Eom, Heon Y. Yeom Seoul National University, Korea MuCoCoS 2012 Salt Lake City, Utah Abstract Goal To
Memory Safety for Low- Level Software/Hardware Interactions
Safety for Low- Level Software/Hardware Interactions John Criswell Nicolas Geoffray Montreal or Bust! Vikram Adve Safety Future is Bright User-space memory safety is improving Safe languages SAFECode,
Dnmaloc: a more secure memory allocator
Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
Security-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat
Security-Aware Processor Architecture Design CS 6501 Fall 2018 Ashish Venkat Agenda Common Processor Performance Metrics Identifying and Analyzing Bottlenecks Benchmarking and Workload Selection Performance
A program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
Protecting the Stack with Metadata Policies and Tagged Hardware
2018 IEEE Symposium on Security and Privacy Protecting the Stack with Metadata Policies and Tagged Hardware Nick Roessler University of Pennsylvania nroess@seas.upenn.edu André DeHon University of Pennsylvania
Remix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University* Background Buffer Overflow -> Code Injection Attack Background Buffer Overflow
From Debugging-Information Based Binary-Level Type Inference to CFG Generation
From Debugging-Information Based Binary-Level Type Inference to CFG Generation ABSTRACT Dongrui Zeng Pennsylvania State University State Collge, PA, USA dongrui.zeng@gmail.com Binary-level Control-Flow
Energy Models for DVFS Processors
Energy Models for DVFS Processors Thomas Rauber 1 Gudula Rünger 2 Michael Schwind 2 Haibin Xu 2 Simon Melzner 1 1) Universität Bayreuth 2) TU Chemnitz 9th Scheduling for Large Scale Systems Workshop July
Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
STABILIZER: Enabling Statistically Rigorous Performance Evaluation
STABILIZER: Enabling Statistically Rigorous Performance Evaluation Charlie Curtsinger Emery D. Berger Dept. of Computer Science University of Massachusetts, Amherst Amherst, MA 3 {charlie,emery}@cs.umass.edu
Protecting COTS Binaries from Disclosure-guided Code Reuse Attacks
Protecting COTS Binaries from Disclosure-guided Code Reuse Attacks Mingwei Zhang Intel Labs Hillsboro, OR, USA mingwei.zhang@intel.com Michalis Polychronakis Stony Brook University Stony Brook, NY, USA
Architectural Supports to Protect OS Kernels from Code-Injection Attacks
Architectural Supports to Protect OS Kernels from Code-Injection Attacks 2016-06-18 Hyungon Moon, Jinyong Lee, Dongil Hwang, Seonhwa Jung, Jiwon Seo and Yunheung Paek Seoul National University 1 Why to
Defeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
UCB CS61C : Machine Structures
inst.eecs.berkeley.edu/~cs61c UCB CS61C : Machine Structures Lecture 36 Performance 2010-04-23 Lecturer SOE Dan Garcia How fast is your computer? Every 6 months (Nov/June), the fastest supercomputers in
STABILIZER: Enforcing Predictable and Analyzable Performance
STABILIZER: Enforcing Predictable and Analyzable Performance Charlie Curtsinger Emery D. Berger Dept. of Computer Science University of Massachusetts, Amherst Amherst, MA 3 {charlie,emery}@cs.umass.edu
Improving Cache Performance by Exploi7ng Read- Write Disparity. Samira Khan, Alaa R. Alameldeen, Chris Wilkerson, Onur Mutlu, and Daniel A.
Improving Cache Performance by Exploi7ng Read- Write Disparity Samira Khan, Alaa R. Alameldeen, Chris Wilkerson, Onur Mutlu, and Daniel A. Jiménez Summary Read misses are more cri?cal than write misses
Adaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
SafeStack + : Enhanced Dual Stack to Combat Data-Flow Hijacking
SafeStack + : Enhanced Dual Stack to Combat Data-Flow Hijacking Yan Lin, Xiaoxiao Tang, and Debin Gao School of Information Systems, Singapore Management University, Singapore {yanlin.2016, xxtang.2013,
Improving Error Checking and Unsafe Optimizations using Software Speculation. Kirk Kelsey and Chen Ding University of Rochester
Improving Error Checking and Unsafe Optimizations using Software Speculation Kirk Kelsey and Chen Ding University of Rochester Outline Motivation Brief problem statement How speculation can help Our software
Hybrid Cache Architecture (HCA) with Disparate Memory Technologies
Hybrid Cache Architecture (HCA) with Disparate Memory Technologies Xiaoxia Wu, Jian Li, Lixin Zhang, Evan Speight, Ram Rajamony, Yuan Xie Pennsylvania State University IBM Austin Research Laboratory Acknowledgement:
Bias Scheduling in Heterogeneous Multi-core Architectures
Bias Scheduling in Heterogeneous Multi-core Architectures David Koufaty Dheeraj Reddy Scott Hahn Intel Labs {david.a.koufaty, dheeraj.reddy, scott.hahn}@intel.com Abstract Heterogeneous architectures that
LLVM Performance Improvements and Headroom
LLVM Performance Improvements and Headroom Gerolf Hoflehner Apple LLVM Developers Meeting 2015 San Jose, CA Messages Tuning and focused local optimizations Advancing optimization technology Getting inspired
Scheduling the Intel Core i7
Third Year Project Report University of Manchester SCHOOL OF COMPUTER SCIENCE Scheduling the Intel Core i7 Ibrahim Alsuheabani Degree Programme: BSc Software Engineering Supervisor: Prof. Alasdair Rawsthorne
Thesis Defense Lavanya Subramanian
Providing High and Predictable Performance in Multicore Systems Through Shared Resource Management Thesis Defense Lavanya Subramanian Committee: Advisor: Onur Mutlu Greg Ganger James Hoe Ravi Iyer (Intel)
HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity
31 st IEEE Symposium on Security & Privacy, Oakland CA, May 16-19 2010 HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State
Timely Rerandomization for Mitigating Memory Disclosures
Timely Rerandomization for Mitigating Memory Disclosures David Bigelow MIT Lincoln Laboratory dbigelow@ll.mit.edu William Streilein MIT Lincoln Laboratory wws@ll.mit.edu Thomas Hobson MIT Lincoln Laboratory
InkTag: Secure Applications on an Untrusted Operating System. Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin
InkTag: Secure lications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your... should you? The is the software root of trust on most
Remix: On-demand Live Randomization
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley Florida State University {ychen,zwang,whalley}@cs.fsu.edu Long Lu Stony Brook University long@cs.stonybrook.edu ABSTRACT Code randomization
Addressing End-to-End Memory Access Latency in NoC-Based Multicores
Addressing End-to-End Memory Access Latency in NoC-Based Multicores Akbar Sharifi, Emre Kultursay, Mahmut Kandemir and Chita R. Das The Pennsylvania State University University Park, PA, 682, USA {akbar,euk39,kandemir,das}@cse.psu.edu
Energy Proportional Datacenter Memory. Brian Neel EE6633 Fall 2012
Energy Proportional Datacenter Memory Brian Neel EE6633 Fall 2012 Outline Background Motivation Related work DRAM properties Designs References Background The Datacenter as a Computer Luiz André Barroso
Software Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
Memory Mapped ECC Low-Cost Error Protection for Last Level Caches. Doe Hyun Yoon Mattan Erez
Memory Mapped ECC Low-Cost Error Protection for Last Level Caches Doe Hyun Yoon Mattan Erez 1-Slide Summary Reliability issues in caches Increasing soft error rate (SER) Cost increases with error protection
Diversification of Stack Layout in Binary Programs Using Dynamic Binary Translation
Diversification of Stack Layout in Binary Programs Using Dynamic Binary Translation Benjamin Rodes, Anh Nguyen-Tuong, John Knight, James Shepherd, Jason Hiser, Michele Co, Jack W. Davidson Department of
Thread-Level Speculation on Off-the-Shelf Hardware Transactional Memory
Thread-Level Speculation on Off-the-Shelf Hardware Transactional Memory Rei Odaira Takuya Nakaike IBM Research Tokyo Thread-Level Speculation (TLS) [Franklin et al., 92] or Speculative Multithreading (SpMT)
Memory Allocator Security
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be
Flexible Cache Error Protection using an ECC FIFO
Flexible Cache Error Protection using an ECC FIFO Doe Hyun Yoon and Mattan Erez Dept Electrical and Computer Engineering The University of Texas at Austin 1 ECC FIFO Goal: to reduce on-chip ECC overhead
Lightweight Memory Tracing
Lightweight Memory Tracing Mathias Payer ETH Zurich Enrico Kravina ETH Zurich Thomas R. Gross ETH Zurich Abstract Memory tracing (executing additional code for every memory access of a program) is a powerful
Evaluation of RISC-V RTL with FPGA-Accelerated Simulation
Evaluation of RISC-V RTL with FPGA-Accelerated Simulation Donggyu Kim, Christopher Celio, David Biancolin, Jonathan Bachrach, Krste Asanovic CARRV 2017 10/14/2017 Evaluation Methodologies For Computer
Coverage-guided Fuzzing of Individual Functions Without Source Code
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results
Microarchitecture Overview. Performance
Microarchitecture Overview Prof. Scott Rixner Duncan Hall 3028 rixner@rice.edu January 15, 2007 Performance 4 Make operations faster Process improvements Circuit improvements Use more transistors to make
Loop-Oriented Array- and Field-Sensitive Pointer Analysis for Automatic SIMD Vectorization
Loop-Oriented Array- and Field-Sensitive Pointer Analysis for Automatic SIMD Vectorization Yulei Sui, Xiaokang Fan, Hao Zhou and Jingling Xue School of Computer Science and Engineering The University of
The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection
: Hardware-Protected Security Modules for In-Place Intrusion Detection Man-Ki Yoon, Mihai Christodorescu, Lui Sha, Sibin Mohan University of Illinois at Urbana-Champaign Qualcomm Research Silicon Valley
QPSI. Qualcomm Technologies Countermeasures Update
QPSI Qualcomm Technologies Countermeasures Update 1 Introduction Sometime back in 2010 Let s have exploit countermeasures on our products Why? Hard to fix all bugs. We might as well make them more fun
SVF: Static Value-Flow Analysis in LLVM
SVF: Static Value-Flow Analysis in LLVM Yulei Sui, Peng Di, Ding Ye, Hua Yan and Jingling Xue School of Computer Science and Engineering The University of New South Wales 2052 Sydney Australia March 18,
Efficient Architecture Support for Thread-Level Speculation
Efficient Architecture Support for Thread-Level Speculation A THESIS SUBMITTED TO THE FACULTY OF THE GRADUATE SCHOOL OF THE UNIVERSITY OF MINNESOTA BY Venkatesan Packirisamy IN PARTIAL FULFILLMENT OF THE
Confinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules
I run a Linux server, so we re secure
Silent Signal vsza@silentsignal.hu 18 September 2010 Linux from a security viewpoint we re talking about the kernel, not GNU/Linux distributions Linux from a security viewpoint we re talking about the
A Hybrid Adaptive Feedback Based Prefetcher
A Feedback Based Prefetcher Santhosh Verma, David M. Koppelman and Lu Peng Department of Electrical and Computer Engineering Louisiana State University, Baton Rouge, LA 78 sverma@lsu.edu, koppel@ece.lsu.edu,
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow
UCB CS61C : Machine Structures
inst.eecs.berkeley.edu/~cs61c UCB CS61C : Machine Structures Lecture 38 Performance 2008-04-30 Lecturer SOE Dan Garcia How fast is your computer? Every 6 months (Nov/June), the fastest supercomputers in
Runtime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
LAZARUS: Practical Side-channel Resilient Kernel-Space Randomization
LAZARUS: Practical Side-channel Resilient Kernel-Space Randomization David Gens 1, Orlando Arias 2, Dean Sullivan 2, Christopher Liebchen 1, Yier Jin 2, and Ahmad-Reza Sadeghi 1 1 CYSEC/Technische Universität
OpenPrefetch. (in-progress)
OpenPrefetch Let There Be Industry-Competitive Prefetching in RISC-V Processors (in-progress) Bowen Huang, Zihao Yu, Zhigang Liu, Chuanqi Zhang, Sa Wang, Yungang Bao Institute of Computing Technology(ICT),
EffectiveSan: Type and Memory Error Detection using Dynamically Typed C/C++
EffectiveSan: Type and Memory Error Detection using Dynamically Typed C/C++ Gregory J. Duck and Roland H. C. Yap Department of Computer Science National University of Singapore {gregory, ryap}@comp.nus.edu.sg
Producing Wrong Data Without Doing Anything Obviously Wrong!
Producing Wrong Data Without Doing Anything Obviously Wrong! Todd Mytkowicz Amer Diwan Department of Computer Science University of Colorado Boulder, CO, USA {mytkowit,diwan}@colorado.edu Matthias Hauswirth
SPIN Operating System
SPIN Operating System Motivation: general purpose, UNIX-based operating systems can perform poorly when the applications have resource usage patterns poorly handled by kernel code Why? Current crop of
Kruiser: Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring
Kruiser: Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer Overflow Monitoring Donghai Tian, Qiang Zeng, Dinghao Wu, Peng Liu Penn State University Beijing Institute of Technology {donghai,
Computer Sciences Department
Computer Sciences Department Compiler Construction of Idempotent Regions Marc de Kruijf Karthikeyan Sankaralingam Somesh Jha Technical Report #1700 November 2011 Compiler Construction of Idempotent Regions
kguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
in memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
Baggy bounds with LLVM
Baggy bounds with LLVM Anton Anastasov Chirantan Ekbote Travis Hance 6.858 Project Final Report 1 Introduction Buffer overflows are a well-known security problem; a simple buffer-overflow bug can often
Near-Threshold Computing: How Close Should We Get?
Near-Threshold Computing: How Close Should We Get? Alaa R. Alameldeen Intel Labs Workshop on Near-Threshold Computing June 14, 2014 Overview High-level talk summarizing my architectural perspective on
ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks
ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks Radhesh Krishnan Konoth, Vrije Universiteit Amsterdam; Marco Oliverio, University of Calabria/Vrije Universiteit Amsterdam;
Baggy bounds checking. Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand
Baggy bounds checking Periklis Akri5dis, Manuel Costa, Miguel Castro, Steven Hand C/C++ programs are vulnerable Lots of exis5ng code in C and C++ More being wrieen every day C/C++ programs are prone to
Portable Power/Performance Benchmarking and Analysis with WattProf
Portable Power/Performance Benchmarking and Analysis with WattProf Amir Farzad, Boyana Norris University of Oregon Mohammad Rashti RNET Technologies, Inc. Motivation Energy efficiency is becoming increasingly
DEMM: a Dynamic Energy-saving mechanism for Multicore Memories
DEMM: a Dynamic Energy-saving mechanism for Multicore Memories Akbar Sharifi, Wei Ding 2, Diana Guttman 3, Hui Zhao 4, Xulong Tang 5, Mahmut Kandemir 5, Chita Das 5 Facebook 2 Qualcomm 3 Intel 4 University
Spatial Memory Streaming (with rotated patterns)
Spatial Memory Streaming (with rotated patterns) Michael Ferdman, Stephen Somogyi, and Babak Falsafi Computer Architecture Lab at 2006 Stephen Somogyi The Memory Wall Memory latency 100 s clock cycles;
Shreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S
Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/
Performance Characterization of SPEC CPU Benchmarks on Intel's Core Microarchitecture based processor
Performance Characterization of SPEC CPU Benchmarks on Intel's Core Microarchitecture based processor Sarah Bird ϕ, Aashish Phansalkar ϕ, Lizy K. John ϕ, Alex Mericas α and Rajeev Indukuru α ϕ University
Generating Low-Overhead Dynamic Binary Translators
Generating Low-Overhead Dynamic Binary Translators Mathias Payer ETH Zurich, Switzerland mathias.payer@inf.ethz.ch Thomas R. Gross ETH Zurich, Switzerland trg@inf.ethz.ch Abstract Dynamic (on the fly)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)
Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI) Brad Karp UCL Computer Science CS GZ03 / M030 9 th December 2011 Motivation: Vulnerabilities in C Seen dangers of vulnerabilities: injection
HeapTherapy: An Efficient End-to-end Solution Against Heap Buffer Overflows
HeapTherapy: An Efficient End-to-end Solution Against Heap Buffer Overflows Qiang Zeng*, Mingyi Zhao*, Peng Liu The Pennsylvania State University University Park, PA, 16802, USA Email: {quz105, muz127,
Exploring Speculative Parallelism in SPEC2006
Exploring Speculative Parallelism in SPEC2006 Venkatesan Packirisamy, Antonia Zhai, Wei-Chung Hsu, Pen-Chung Yew and Tin-Fook Ngai University of Minnesota, Minneapolis. Intel Corporation {packve,zhai,hsu,yew}@cs.umn.edu