Preventing Memory Error Exploits with WIT

Akritidis, Periklis; Cadar, Cristian; Raiciu, Costin; Costa, Manuel; Castro, Miguel

doi:10.1109/sp.2008.30

Cited by 224 publications

(192 citation statements)

References 15 publications

Supporting

Mentioning

191

Contrasting

Unclassified

Order By: Relevance

“…On the other hand, experience has shown that low overhead mechanisms that trade off security guarantees for performance (e.g., approximate [48] or partial [5] memory safety) eventually get bypassed [9,52,21,11,17].…”

Section: Possible Countermeasuresmentioning

confidence: 99%

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Evans

Fingeret

González

et al. 2015

2015 IEEE Symposium on Security and Privacy

117

View full text Add to dashboard Cite

Abstract-Memory corruption attacks continue to be a major vector of attack for compromising modern systems. Numerous defenses have been proposed against memory corruption attacks, but they all have their limitations and weaknesses. Stronger defenses such as complete memory safety for legacy languages (C/C++) incur a large overhead, while weaker ones such as practical control flow integrity have been shown to be ineffective. A recent technique called code pointer integrity (CPI) promises to balance security and performance by focusing memory safety on code pointers thus preventing most control-hijacking attacks while maintaining low overhead. CPI protects access to code pointers by storing them in a safe region that is protected by instruction level isolation. On x86-32, this isolation is enforced by hardware; on x86-64 and ARM, isolation is enforced by information hiding. We show that, for architectures that do not support segmentation in which CPI relies on information hiding, CPI's safe region can be leaked and then maliciously modified by using data pointer overwrites. We implement a proofof-concept exploit against Nginx and successfully bypass CPI implementations that rely on information hiding in 6 seconds with 13 observed crashes. We also present an attack that generates no crashes and is able to bypass CPI in 98 hours. Our attack demonstrates the importance of adequately protecting secrets in security mechanisms and the dangers of relying on difficulty of guessing without guaranteeing the absence of memory leaks.

show abstract

Section: Possible Countermeasuresmentioning

confidence: 99%

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Evans

Fingeret

González

et al. 2015

2015 IEEE Symposium on Security and Privacy

117

View full text Add to dashboard Cite

show abstract

“…WIT [2] discusses a very efficient technique to check whether instructions write to valid memory location. Their technique is based on static analysis that does a points-to analysis of the application.…”

Section: Runtime Enforcement Of Static Analysis Resultsmentioning

confidence: 99%

ValueGuard: Protection of Native Applications against Data-Only Buffer Overflows

Acker

Nikiforakis

Philippaerts

et al. 2010

Information Systems Security

View full text Add to dashboard Cite

Abstract. Code injection attacks that target the control-data of an application have been prevalent amongst exploit writers for over 20 years. Today however, these attacks are getting increasingly harder for attackers to successfully exploit due to numerous countermeasures that are deployed by modern operating systems. We believe that this fact will drive exploit writers away from classic control-data attacks and towards data-only attacks. In data-only attacks, the attacker changes key data structures that are used by the program's logic and thus forces the control flow into existing parts of the program that would be otherwise unreachable, e.g. overflowing into a boolean variable that states whether the current user is an administrator or not and setting it to "true" thereby gaining access to the administrative functions of the program. In this paper we present ValueGuard, a canary-based defense mechanism to protect applications against data-only buffer overflow attacks. ValueGuard inserts canary values in front of all variables and verifies their integrity whenever these variables are used. In this way, if a buffer overflow has occurred that changed the contents of a variable, ValueGuard will detect it since the variable's canary will have also been changed. The countermeasure itself can be used either as a testing tool for applications before their final deployment or it can be applied selectively to legacy or high-risk parts of programs that we want to protect at run-time, without incurring extra time-penalties to the rest of the applications.

show abstract

“…The simplest way to achieve this is to intercept signals such as a segmentation fault that indicates improper memory handling. Other approaches that detect memory errors can also be employed [18,8,1,21]. When an error is detected AS-SURE initiates offline rescue point analysis (see Fig.…”

Section: Rescue Point Discoverymentioning

confidence: 99%

“…To alleviate some of the dangers that bugs like buffer overflows and dangling pointers entail, various containment and runtime protection techniques have been proposed [8,1,7,12,18]. These techniques can offer assurances that certain types of program vulnerabilities cannot be exploited to compromise security, but they do not also offer high availability and reliability, as they frequently terminate the compromised program to prevent the attacker from performing any useful action.…”

Section: Introductionmentioning

confidence: 99%

REASSURE: A Self-contained Mechanism for Healing Software Using Rescue Points

Portokalidis

Keromytis

2011

Advances in Information and Computer Security

View full text Add to dashboard Cite

Abstract. Software errors are frequently responsible for the limited availability of Internet Services, loss of data, and many security compromises. Self-healing using rescue points (RPs) is a mechanism that can be used to recover software from unforeseen errors until a more permanent remedy, like a patch or update, is available. We present RE-ASSURE, a self-contained mechanism for recovering from such errors using RPs. Essentially, RPs are existing code locations that handle certain anticipated errors in the target application, usually by returning an error code. REASSURE enables the use of these locations to also handle unexpected faults. This is achieved by rolling back execution to a RP when a fault occurs, returning a valid error code, and enabling the application to gracefully handle the unexpected error itself. REAS-SURE can be applied on already running applications, while disabling and removing it is equally facile. We tested REASSURE with various applications, including the MySQL and Apache servers, and show that it allows them to successfully recover from errors, while incurring moderate overhead between 1% and 115%. We also show that even under very adverse conditions, like their continuous bombardment with errors, REASSURE protected applications remain operational.

show abstract

Preventing Memory Error Exploits with WIT

Cited by 224 publications

References 15 publications

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

Missing the Point(er): On the Effectiveness of Code Pointer Integrity

ValueGuard: Protection of Native Applications against Data-Only Buffer Overflows

REASSURE: A Self-contained Mechanism for Healing Software Using Rescue Points

Contact Info

Product

Resources

About