*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Hardware-Assisted Processor Tracing for Automated Bug Finding and Exploit Prevention
Date: Thursday, September 2nd, 2021
Time: 3:00-4:00pm (EST)
Location (Physical): Coda C0903 (Ansley) Location (Virtual): https://bluejeans.com/885383300
Carter Yagemann
PhD Student, Computer Science
School of Cybersecurity and Privacy
College of Computing
Georgia Institute of Technology
Committee:
Dr. Wenke Lee (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology Dr. Brendan Saltaformaggio, School of Cybersecurity and Privacy, Georgia Institute of Technology Dr. Mustaque Ahamad, School of Cybersecurity and Privacy, Georgia Institute of Technology Dr. Alessandro Orso, School of Computer Science, Georgia Institute of Technology Dr. Weidong Cui, Partner Research Manager, Microsoft Research
Abstract:
The proliferation of hardware-supported tracing within commodity processors has opened new doors to observing low-level behaviors in computer software with superior efficiency, transparency, and integrity than prior instrumentation-based solutions. Unfortunately, while it is intuitive that observing program executions can benefit program security analysis, several trade-offs in the design of processor tracing result in serious technical challenges for this purpose, limiting its widespread adoption. First, processor tracing achieves its efficiency by limiting recording to only low-level control flow events, making it difficult to recover all the information necessary to formulate informed security decisions. Second, tracing captures the lowest possible level of program behavior, creating a semantic gap for modeling, detecting, and analyzing software vulnerabilities. Third, the sheer volume of recorded data requires careful management to preserve the low overhead required for feasible deployment within end-host systems.
In this thesis, I propose solutions to the above challenges. First, I present a system called ARCUS, which is capable of analyzing processor traces flagged by host-based IDS monitors to detect, localize, and provide preliminary patches to developers for overflow, use-after-free, double free, and format string vulnerabilities. In my evaluation, ARCUS demonstrates promising results, detecting 27 previously known vulnerabilities alongside 4 novel cases, leading to the issuance of several CVE advisories and official developer patches. Next, I present another system, MARSARA, which protects the integrity of execution unit partitioning (EUP) for data provenance used in forensic analysis.
MARSARA prevents several expertly crafted exploits from corrupting EUP-partitioned graphs while incurring little overhead compared to existing system auditing frameworks. Finally, I propose Bunkerbuster, a system that proactively searches for and analyzes binary vulnerabilities using processor traces and memory snapshots collected from multiple end-host systems.
