|
Today's software remains vulnerable to attack. Despite decades of advances in areas ranging from testing to static analysis and verification, all large real-world software is deployed with errors. Because this software is either written in or underpinned by unsafe languages, errors often translate to security vulnerabilities. Although techniques exist that could prevent or limit the risk of exploits, high performance overhead blocks their adoption, leaving today's systems open to attack. To address these problems, we propose a new approach: evidence-assisted detection and elimination of security vulnerabilities (EVADE). EVADE will prevent security vulnerabilities from compromising a system . The challenge, and the goal, is to make it efficient in time and space, and to make it practical for deployment. EVADE will produce detailed reports for developers to reduce the time and effort required to fix their applications. By blocking a wide range of attacks and automatically pinpointing vulnerabilities, EVADE will dramatically increase the security of application software running on servers and desktop platforms, and it will enable a new class of post-attack security analyses.
The technical approach is a novel one that spans the traditional research boundaries of runtime systems, operating systems, and virtual machines. EVADE will run unmodified applications in a coordinated framework that will perform selective forensic analysis before any output is committed, blocking exploits from compromising their host and making it possible to pinpoint errors with low overhead. The EVADE runtime system will place lightweight tripwires at random locations in memory that can be quickly validated to detect malicious behavior. Within an application, these take the form of signatures placed on the stack and in the heap, while at the hypervisor-level EVADE they may protect the system call table or other crucial data structures. The EVADE VM will divide execution into incrementally-checkpointed epochs. At each epoch boundary, before any system state is committed, the EVADE virtual machine will indicate to the EVADE runtime system which pages have been modified, letting it perform checks to identify vulnerabilities. EVADE will thus dramatically increase the security of vulnerable applications with extremely low runtime overhead, and will assist developers in locating vulnerabilities when an exploit does occur.
|
TWC: Small: Collaborative: EVADE: Evidence-Assisted Detection and Elimination of Security Vulnerabilities