event

PhD Defense by Carter Yagemann

Primary tabs

Title: Hardware-Assisted Processor Tracing for Automated Bug Finding and Exploit Prevention

 

Date: Thursday, May 5th, 2022

Time: 4:00 PM - 6:00 PM (EST)

Location: https://gatech.zoom.us/j/96588444591

 

Carter Yagemann

Ph.D. Candidate

School of Cybersecurity and Privacy

College of Computing

Georgia Institute of Technology

 

Committee:

 

Dr. Wenke Lee (Advisor, School of Cybersecurity and Privacy, Georgia Institute of Technology) Dr. Brendan Saltaformaggio (School of Cybersecurity and Privacy, Georgia Institute of Technology) Dr. Mustaque Ahamad (School of Cybersecurity and Privacy, Georgia Institute of Technology) Dr. Alessandro Orso (School of Computer Science, Georgia Institute of

Technology)

Dr. Weidong Cui (Partner Research Manager, Microsoft Research)

 

Abstract:

 

The proliferation of hardware-supported tracing within commodity processors has opened new doors to observing low-level behaviors in computer software with superior efficiency, transparency, and integrity than prior instrumentation-based solutions. Unfortunately, while it is intuitive that observing program executions can benefit program security analysis, several trade-offs in the design of processor tracing result in serious technical challenges for this purpose, limiting its widespread adoption. First, processor tracing achieves its efficiency by limiting recording to only low-level control flow events, making it difficult to recover all the information necessary to formulate informed security decisions. Second, tracing captures the lowest possible level of program behavior, creating a semantic gap for modeling, detecting, and analyzing software vulnerabilities. Third, the sheer volume of recorded data requires careful management to preserve the low overhead required for feasible deployment within end-host systems.

 

To solve the above challenges, I propose control-oriented record and replay, which combines concrete traces with symbolic analysis to uncover vulnerabilities and exploits. To demonstrate the efficacy and versatility of my approach, I first present a system called ARCUS, which is capable of analyzing processor traces flagged by host-based monitors to detect, localize, and provide preliminary patches to developers for memory corruption vulnerabilities. ARCUS has detected 27 previously known vulnerabilities alongside 4 novel cases, leading to the issuance of several advisories and official developer patches. Next, I present MARSARA, a system that protects the integrity of execution unit partitioning in data provenance-based forensic analysis. MARSARA prevents several expertly crafted exploits from corrupting partitioned provenance graphs while incurring little overhead compared to prior work. Finally, I present Bunkerbuster, which extends the ideas from ARCUS into a system capable of proactively hunting for bugs across multiple end-hosts simultaneously.

Status

  • Workflow Status:Published
  • Created By:Tatianna Richardson
  • Created:04/13/2022
  • Modified By:Tatianna Richardson
  • Modified:04/13/2022

Categories

Keywords