Security Testing Hard-to-Reach Code
Vulnerabilities in code enable adversaries to exploit programs, e.g., leaking private information or escalating privileges to gain code execution. Memory corruption and type confusion are common bug classes that are the basis of most vulnerabilities in low level software written in C or C++. Despite the rise of strong mitigations such as stack cookies, ASLR, DEP, or most recently Control-Flow Integrity, exploits are still prevalent as none of these defenses offers complete protection. This situation calls for program testing techniques that discover reachable vulnerabilities before an attacker. Finding and fixing bugs is the only way to protect against any exploitation.
As current programs are massively complex with hundreds of millions of lines of code, finding all bugs is infeasible. In a first step we develop an automatic approach to assess the attack surface of programs. By focusing on code that processes adversary-controlled input we can restrict the amount of code that must be vetted. Memory corruption and type confusion bugs inherently result in undefined behavior. For example, a buffer overflow may result in a segmentation fault, corruption of another memory object, or a write to an unused memory region. Sanitization is a technique that makes undefined behavior explicit by instrumenting the program with policy checks during compilation. Whenever a policy check fails, e.g., when writing past the end of a buffer, the sanitizer reports the bug location and additional details. Sanitization is a dynamic software testing technique and therefore requires concrete executions to detect bugs. Fuzzing complements sanitization by automatically generating inputs to trigger new code paths. We will discuss the combination of fuzzing and sanitization to test exposed code and to secure the current attack surface.
Mathias Payer is a security researcher and an assistant professor at the EPFL school of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques. All prototype implementations are open-source.
After 4 years at Purdue university, he joined EPFL in 2018. Before joining Purdue in 2014 he spent two years as PostDoc in Dawn Song’s BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012, focusing on enforcing security policies through low-level binary translation. He co-founded the EPFL polygl0t and Purdue b01lers CTF teams.
Defending against transient execution attacks
The recent waves of transient execution attacks, including Spectre, Meltdown and Foreshadow in 2018, and RIDL, Fallout and ZombieLoad in 2019, have abundantly shown that performance optimizations in hardware can lead to dangerous vulnerabilities that can be exploited by malicious software.
Even though the first transient execution attacks are only two years old, we already see evidence of a new attacker-defender race in system security. As defenders scramble to design and implement mitigations, attackers find new ways to bypass these mitigations. In this talk, we will recap how transient execution attacks work, and provide a brief overview of attack techniques developed so far. Finally, we will discuss some potential paths to make defenses against these attacks more principled.
Frank Piessens is a full professor in the Department of Computer Science at the Katholieke Universiteit Leuven, Belgium. His research field is software security, where he focuses on the development of high-assurance techniques to deal with implementation-level software vulnerabilities and bugs, including techniques such as software verification, run-time monitoring, hardware security architectures, type systems and programming language design. He studies the theory behind these techniques as well as their application in many types of software systems, including web applications, embedded software, and mobile applications. His achievements in the field of software security include contributions to: the development of verification techniques for C-like languages, the development of the secure multi-execution technique for enforcing information flow security, the development of a variety of countermeasures for memory safety related vulnerabilities, and the development of the embedded security architecture Sancus.