650018 event 1629812359 1629812359 <![CDATA[PhD Proposal by Carter Yagemann]]> Title: Hardware-Assisted Processor Tracing for Automated Bug Finding and Exploit Prevention

Date: Thursday, September 2nd, 2021

Time: 3:00-4:00pm (EST)

Location (Physical): Coda C0903 (Ansley) Location (Virtual): https://bluejeans.com/885383300

 

Carter Yagemann

PhD Student, Computer Science

School of Cybersecurity and Privacy

College of Computing

Georgia Institute of Technology

 

Committee:

 

Dr. Wenke Lee (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology Dr. Brendan Saltaformaggio, School of Cybersecurity and Privacy, Georgia Institute of Technology Dr. Mustaque Ahamad, School of Cybersecurity and Privacy, Georgia Institute of Technology Dr. Alessandro Orso, School of Computer Science, Georgia Institute of Technology Dr. Weidong Cui, Partner Research Manager, Microsoft Research

 

Abstract:

 

The proliferation of hardware-supported tracing within commodity processors has opened new doors to observing low-level behaviors in computer software with superior efficiency, transparency, and integrity than prior instrumentation-based solutions. Unfortunately, while it is intuitive that observing program executions can benefit program security analysis, several trade-offs in the design of processor tracing result in serious technical challenges for this purpose, limiting its widespread adoption. First, processor tracing achieves its efficiency by limiting recording to only low-level control flow events, making it difficult to recover all the information necessary to formulate informed security decisions. Second, tracing captures the lowest possible level of program behavior, creating a semantic gap for modeling, detecting, and analyzing software vulnerabilities. Third, the sheer volume of recorded data requires careful management to preserve the low overhead required for feasible deployment within end-host systems.

 

In this thesis, I propose solutions to the above challenges. First, I present a system called ARCUS, which is capable of analyzing processor traces flagged by host-based IDS monitors to detect, localize, and provide preliminary patches to developers for overflow, use-after-free, double free, and format string vulnerabilities. In my evaluation, ARCUS demonstrates promising results, detecting 27 previously known vulnerabilities alongside 4 novel cases, leading to the issuance of several CVE advisories and official developer patches. Next, I present another system, MARSARA, which protects the integrity of execution unit partitioning (EUP) for data provenance used in forensic analysis.

MARSARA prevents several expertly crafted exploits from corrupting EUP-partitioned graphs while incurring little overhead compared to existing system auditing frameworks. Finally, I propose Bunkerbuster, a system that proactively searches for and analyzes binary vulnerabilities using processor traces and memory snapshots collected from multiple end-host systems.

]]> <![CDATA[Bluejeans]]> 221981 1788 102851