TU Darmstadt / ULB / TUbiblio

Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? - Keynote -

Sadeghi, Ahmad-Reza ; Davi, Lucas ; Larsen, Per :
Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? - Keynote -.
10th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2015)
[Konferenz- oder Workshop-Beitrag], (2015)

Kurzbeschreibung (Abstract)

Exploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web browsers, servers, and office suites still contain large amounts of untrusted legacy code written in error-prone languages such as C and C++. At the same time, modern exploits are evolving quickly and routinely incorporate sophisticated techniques such as code reuse and memory disclosure. As a result, they bypass all widely deployed countermeasures including data execution prevention (DEP) and code randomization such as address space layout randomization (ASLR).

The good news is that the security community has recently introduced several promising prototype defenses that offer a more principled response to modern exploits. Even though these solutions have improved substantially over time, they are not perfect and weaknesses that allow bypasses are continually being discovered. Moreover, it remains to be seen whether these prototype defenses can be matured and integrated into operating systems, compilers, and other systems software.

This paper provides a brief overview of current state-of-the-art exploitation and defense techniques against run-time exploits and elaborates on innovative research prototypes that may one day stem the tide of sophisticated exploits. We also provide a brief analysis and categorization of existing defensive techniques and ongoing work in the areas of code randomization and control-flow integrity, and cover both hardware and software-based solutions.

Typ des Eintrags: Konferenz- oder Workshop-Beitrag (Keine Angabe)
Erschienen: 2015
Autor(en): Sadeghi, Ahmad-Reza ; Davi, Lucas ; Larsen, Per
Titel: Securing Legacy Software against Real-World Code-Reuse Exploits: Utopia, Alchemy, or Possible Future? - Keynote -
Sprache: Deutsch
Kurzbeschreibung (Abstract):

Exploitation of memory-corruption vulnerabilities in widely-used software has been a threat for over two decades and no end seems to be in sight. Since performance and backwards compatibility trump security concerns, popular programs such as web browsers, servers, and office suites still contain large amounts of untrusted legacy code written in error-prone languages such as C and C++. At the same time, modern exploits are evolving quickly and routinely incorporate sophisticated techniques such as code reuse and memory disclosure. As a result, they bypass all widely deployed countermeasures including data execution prevention (DEP) and code randomization such as address space layout randomization (ASLR).

The good news is that the security community has recently introduced several promising prototype defenses that offer a more principled response to modern exploits. Even though these solutions have improved substantially over time, they are not perfect and weaknesses that allow bypasses are continually being discovered. Moreover, it remains to be seen whether these prototype defenses can be matured and integrated into operating systems, compilers, and other systems software.

This paper provides a brief overview of current state-of-the-art exploitation and defense techniques against run-time exploits and elaborates on innovative research prototypes that may one day stem the tide of sophisticated exploits. We also provide a brief analysis and categorization of existing defensive techniques and ongoing work in the areas of code randomization and control-flow integrity, and cover both hardware and software-based solutions.

Buchtitel: 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2015)
Freie Schlagworte: ICRI-SC;Secure Things
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Systemsicherheit
Profilbereiche
Profilbereiche > Cybersicherheit (CYSEC)
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
Hinterlegungsdatum: 04 Aug 2016 10:13
ID-Nummer: TUD-CS-2015-0043
Verwandte URLs:
Export:

Optionen (nur für Redakteure)

Eintrag anzeigen Eintrag anzeigen