Guarding Control-Flow: Going to Eleven

Thursday, January 11, 2018 - 2:00pm
HFH 1132
Mathias Payer
Giovanni Vigna

Memory corruption plagues systems since the dawn of computing. While attacks
have become harder with the rise of defense techniques like stack cookies, ASLR,
and DEP, control-flow hijack attacks are still prevalent.  Attacks rely on code
reuse, often leveraging some form of information disclosure and type confusion.
Stronger defense mechanisms have been proposed but none have seen wide
deployment so far due to (i) the time it takes to deploy a security mechanism,
(ii) incompatibility with systems/software, and (iii) performance overhead. In
this talk, we evaluate the security benefits and limitations of the status quo
and look into two upcoming defense mechanisms (and their weaknesses):
Control-Flow Integrity and Type Sanitization.

Control-Flow Integrity (CFI), an upcoming mitigation, guarantees that the
runtime control flow follows the statically determined control-flow graph. An
attacker may reuse any of the valid transitions at any control-flow transfer.
CFI stops program execution before a corrupted code pointer is dereferenced but
is oblivious to the memory corruption itself, leaving the adversary some leeway.

Type Sanitization protects software against type confusion vulnerabilities where
a base class is downcast into a derived class. A type sanitizer tracks the types
of all objects and makes type casts explicit through a runtime check to ensure
that valid objects are used in casts. Type sanitization prohibits memory
corruption for vulnerabilities that leverage type confusion. Combining type
awareness with CFI will protect systems against control-flow hijacking that is
initiated through type confusion (the majority of today's attacks). Challenges
for combined defenses are performance overhead and compatibility issues.

Mathias Payer is a security researcher and an assistant professor in computer
science at Purdue university, leading the HexHive group. He is interested in
system and software security. His research focuses on protecting applications
in the presence of vulnerabilities, with a focus on memory corruption,
control-flow hijacking, and type confusion.  Before joining Purdue in 2014, he
spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He
graduated from ETH Zurich with a Dr. sc. ETH in 2012. In 2014, he founded the
b01lers Purdue CTF team. All implementation prototypes from his group are

Everyone welcome!