*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Hardware-Assisted Processor Tracing for Automated Bug Finding and Exploit Prevention
Date: Thursday, May 5th, 2022
Time: 4:00 PM - 6:00 PM (EST)
Location: https://gatech.zoom.us/j/96588444591
Carter Yagemann
Ph.D. Candidate
School of Cybersecurity and Privacy
College of Computing
Georgia Institute of Technology
Committee:
Dr. Wenke Lee (Advisor, School of Cybersecurity and Privacy, Georgia Institute of Technology) Dr. Brendan Saltaformaggio (School of Cybersecurity and Privacy, Georgia Institute of Technology) Dr. Mustaque Ahamad (School of Cybersecurity and Privacy, Georgia Institute of Technology) Dr. Alessandro Orso (School of Computer Science, Georgia Institute of
Technology)
Dr. Weidong Cui (Partner Research Manager, Microsoft Research)
Abstract:
The proliferation of hardware-supported tracing within commodity processors has opened new doors to observing low-level behaviors in computer software with superior efficiency, transparency, and integrity than prior instrumentation-based solutions. Unfortunately, while it is intuitive that observing program executions can benefit program security analysis, several trade-offs in the design of processor tracing result in serious technical challenges for this purpose, limiting its widespread adoption. First, processor tracing achieves its efficiency by limiting recording to only low-level control flow events, making it difficult to recover all the information necessary to formulate informed security decisions. Second, tracing captures the lowest possible level of program behavior, creating a semantic gap for modeling, detecting, and analyzing software vulnerabilities. Third, the sheer volume of recorded data requires careful management to preserve the low overhead required for feasible deployment within end-host systems.
To solve the above challenges, I propose control-oriented record and replay, which combines concrete traces with symbolic analysis to uncover vulnerabilities and exploits. To demonstrate the efficacy and versatility of my approach, I first present a system called ARCUS, which is capable of analyzing processor traces flagged by host-based monitors to detect, localize, and provide preliminary patches to developers for memory corruption vulnerabilities. ARCUS has detected 27 previously known vulnerabilities alongside 4 novel cases, leading to the issuance of several advisories and official developer patches. Next, I present MARSARA, a system that protects the integrity of execution unit partitioning in data provenance-based forensic analysis. MARSARA prevents several expertly crafted exploits from corrupting partitioned provenance graphs while incurring little overhead compared to prior work. Finally, I present Bunkerbuster, which extends the ideas from ARCUS into a system capable of proactively hunting for bugs across multiple end-hosts simultaneously.
