Memory Corruption: Why Protection is Hard

13.12.2016, 14:00 – 15:00

2016/12/13 14:00-15:00

Speaker: Mathias Payer | Location: Mornewegstraße 32 (S4|14), Room 5.3.01, Darmstadt

Organizer: CROSSING

(Organized in the context of the hiring process for the new cybersecurity professorships.)


Software vulnerabilities allow adversaries to take control of systems. Faulty security checks in systems languages like C/C++ often result in memory corruption. As it is unlikely that all software bugs will ever be fixed, we must protect systems in the presence of bugs. With the rise of defense techniques, attacks have become much more complicated, yet control-flow hijack attacks are still prevalent. Attacks rely on code reuse, often leveraging information disclosures. Strong defense mechanisms have not yet been widely deployed due to (i) the time it takes to roll out a security mechanism, (ii) incompatibility with specific features, and (iii) performance overhead. We will evaluate the security benefits and limitations of the status quo and look into upcoming defense mechanisms.

Control-Flow Integrity (CFI) and Code-Pointer Integrity (CPI) are two of the hottest upcoming defense mechanisms. CFI guarantees that the runtime control flow follows the statically determined control-flow graph. An attacker may reuse any of the valid transitions at any control-flow transfer. CPI on the other hand is a dynamic property that enforces selective memory safety through bounds checks for code pointers by separating code pointers from regular data. We will discuss differences and advantages/disadvantages of both approaches, especially considering their security guarantees and performance impacts, and look at strategies to defend against other attack vectors like type confusion.

Short Bio

Mathias Payer is a security researcher and assistant professor in computer science at Purdue university, leading the HexHive group. His research focuses on protecting applications even in the presence of vulnerabilities, with a focus on memory corruption. He is interested in system security, binary exploitation, user-space software-based fault isolation, binary translation/recompilation, and (application) virtualization. Before joining Purdue in 2014, he spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012. In 2014, he founded the b01lers Purdue CTF team. All implementation prototypes from his group are open-source.