TU Darmstadt / ULB / TUbiblio

Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? - Keynote -

Sadeghi, Ahmad-Reza ; Davi, Lucas ; Larsen, Per (2015)
Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? - Keynote -.
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

Exploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web browsers, servers, and office suites still contain large amounts of untrusted legacy code written in error-prone languages such as C and C++. At the same time, modern exploits are evolving quickly and routinely incorporate sophisticated techniques such as code reuse and memory disclosure. As a result, they bypass all widely deployed countermeasures including data execution prevention (DEP) and code randomization such as address space layout randomization (ASLR).

The good news is that the security community has recently introduced several promising prototype defenses that offer a more principled response to modern exploits. Even though these solutions have improved substantially over time, they are not perfect and weaknesses that allow bypasses are continually being discovered. Moreover, it remains to be seen whether these prototype defenses can be matured and integrated into operating systems, compilers, and other systems software.

This paper provides a brief overview of current state-of-the-art exploitation and defense techniques against run-time exploits and elaborates on innovative research prototypes that may one day stem the tide of sophisticated exploits. We also provide a brief analysis and categorization of existing defensive techniques and ongoing work in the areas of code randomization and control-flow integrity, and cover both hardware and software-based solutions.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2015
Autor(en): Sadeghi, Ahmad-Reza ; Davi, Lucas ; Larsen, Per
Art des Eintrags: Bibliographie
Titel: Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? - Keynote -
Sprache: Deutsch
Publikationsjahr: 2015
Buchtitel: 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2015)
Zugehörige Links:
Kurzbeschreibung (Abstract):

Exploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web browsers, servers, and office suites still contain large amounts of untrusted legacy code written in error-prone languages such as C and C++. At the same time, modern exploits are evolving quickly and routinely incorporate sophisticated techniques such as code reuse and memory disclosure. As a result, they bypass all widely deployed countermeasures including data execution prevention (DEP) and code randomization such as address space layout randomization (ASLR).

The good news is that the security community has recently introduced several promising prototype defenses that offer a more principled response to modern exploits. Even though these solutions have improved substantially over time, they are not perfect and weaknesses that allow bypasses are continually being discovered. Moreover, it remains to be seen whether these prototype defenses can be matured and integrated into operating systems, compilers, and other systems software.

This paper provides a brief overview of current state-of-the-art exploitation and defense techniques against run-time exploits and elaborates on innovative research prototypes that may one day stem the tide of sophisticated exploits. We also provide a brief analysis and categorization of existing defensive techniques and ongoing work in the areas of code randomization and control-flow integrity, and cover both hardware and software-based solutions.

Freie Schlagworte: ICRI-SC;Secure Things
ID-Nummer: TUD-CS-2015-0043
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Systemsicherheit
Profilbereiche
Profilbereiche > Cybersicherheit (CYSEC)
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
Hinterlegungsdatum: 04 Aug 2016 10:13
Letzte Änderung: 03 Jun 2018 21:31
PPN:
Zugehörige Links:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen