|
The exploitation of memory corruption vulnerabilities in popular software is among the leading causes of system compromise and malware infection. While there are several reasons behind this proliferation of exploitable bugs, the reliance on unsafe programming languages such as C and C++ and the complexity of modern software play a major role. The continuous discovery of previously unknown (zero-day) vulnerabilities in browsers, document viewers, and other widely used software, and the lack of effective defenses against recent exploitation techniques that leverage memory disclosure vulnerabilities, necessitate the development of additional defense mechanisms.
The main objective of this project is the design of software shielding techniques and their practical applicability to commodity software and systems. The key innovative aspects of the investigated techniques include: i) principled design that considers the strong adversarial models imposed by the latest exploitation advancements, i.e., disclosure-aided exploitation and data-only attacks, against which effective countermeasures remain an open problem; ii) novel code specialization and data protection techniques, to introduce process-level unpredictability and limit the exposure of critical data; iii) hardware-assisted implementation by leveraging recent and upcoming processor features to minimize the performance impact of the applied protections; and iv) focus on practical considerations, such as operational compatibility and non-disruptive deployment. The outcomes of this research effort are expected to improve the state of the art in defenses against advanced exploits, and achieve substantial practical impact by shielding existing vulnerable applications against exploitation, benefiting both end users and security researchers. The project also provides students the opportunity to conduct research in cybersecurity, and fosters the integration of cybersecurity into high school education through hands-on workshops for students and seminars for science teachers.
|
CAREER: Principled and Practical Software Shielding against Advanced Exploits