Guarding Low-Level Code
COM2 Level 4
Executive Classroom, COM2-04-02
Abstract:
Memory corruption plagues systems since the dawn of computing. Attacks have evolved alongside the development of ever stronger defenses resulting in an eternal war in memory. Despite the rise of strong mitigations such as stack cookies, ASLR, DEP, or most recently Control-Flow Integrity, exploits are still prevalent as none of these defenses offers complete protection. This situation calls for program testing techniques that discover reachable vulnerabilities before the attacker. While strong mitigation makes attacks harder and more expensive, finding and fixing bugs is the only way to protect against exploitation. First, we will discuss trade-offs for recent strong control-flow hijacking mitigations focusing on their compatibility and precision. Even commonly attacked software such as browsers are still struggling to broadly apply these defenses. Yet, these defenses are in stark contrast to IoT and embedded devices that often have no defenses at all. Second, we develop fuzzing techniques that follow an adversarial approach, focusing on the exposed attack surface to explore potentially reachable vulnerabilities. In this talk we will discuss how we can guide a fuzzer towards bypassing hard to satisfy checks (such as checksums or equivalence checks). Whenever the fuzzer hits a coverage wall and no longer makes progress, we detect checks in the code that current input could not satisfy. Through transformational fuzzing we target these underexplored program components and fine-tune the program under test to particular use cases. We develop new techniques to test different kinds of hard to reach code, exposing new vulnerabilities.
Biodata:
Mathias Payer is a security researcher and an assistant professor at the EPFL School of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques. After 4 years at Purdue University, he joined EPFL in 2018. Before joining Purdue in 2014 he spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012, focusing on enforcing security policies through low-level binary translation. All prototype implementations are open-source. He co-founded the EPFL polygl0t and Purdue b01lers CTF teams.