Start / CERIAS Weekly Security Seminar – Purdue University / Mathias payer code pointer integrity

CERIAS Weekly Security Seminar – Purdue University

Mathias Payer, Code-Pointer Integrity

41 min • 11 februari 2015

Programs are full of bugs, leading to vulnerabilities. We'll discusspower and limitations of code-pointer integrity (CPI), a strong butpractical security policy that enforces memory safety for all codepointers, protecting against any form of control-flow hijack attack(e. g., ROP or JOP).Systems code is often written in low-level languages like C/C++, whichoffer many benefits but also delegate memory management toprogrammers. This invites memory safety bugs that attackers canexploit to divert control flow and compromise the system. Deployeddefence mechanisms (e. g., ASLR, DEP) are incomplete, and strongerdefence mechanisms (e. g., CFI) often have high overhead and limitedguarantees (and are therefore not generally deployed).In this talk we discuss code-pointer integrity (CPI), a strongsecurity policy that guarantees the integrity of all code pointers ina program (e.g., function pointers, saved return addresses) andthereby prevents all control-flow hijack attacks, includingreturn-oriented programming and jump-oriented programming. We alsointroduce code-pointer separation (CPS), a relaxation of CPI withbetter performance properties. Both CPI and CPS offer substantiallybetter security-to-overhead ratios than the state of the art, they arepractical (we protect a complete FreeBSD system and over 100 packageslike apache and postgresql), effective (prevent all attacks in theRIPE benchmark), and efficient, resulting in very low to negligibleperformance overhead. About the speaker: Mathias Payer is a security researcher and an assistant professor incomputer science at Purdue university. His interests are related tosystem security, binary exploitation, user-space software-based faultisolation, binary translation/recompilation, and (application)virtualization. His research focuses on protecting applications evenin the presence of vulnerabilities, with a focus on memory corruption.

Senaste avsnitt

Paul Vixie, Force Projection in the Information Domain: Implications of DNS Security

30 april | 72 min

Tristen Mullins, Using Side-Channels for Critical Infrastructure Protection

23 april | 36 min

Richard Love, Russian Hacking: Why, How, Who, and to What End

16 april | 58 min

Josiah Dykstra, Lessons for Cybersecurity from the American Public Health System

9 april | 50 min

Michael Clothier, Annual CERIAS Security Symposium Closing Keynote IT, OT, IoT — It's Really Just the "T": An International and Historical Perspective

2 april | 65 min

Mathias Payer, Code-Pointer Integrity

Senaste avsnitt

Paul Vixie, Force Projection in the Information Domain: Implications of DNS Security

Tristen Mullins, Using Side-Channels for Critical Infrastructure Protection

Richard Love, Russian Hacking: Why, How, Who, and to What End

Josiah Dykstra, Lessons for Cybersecurity from the American Public Health System

Michael Clothier, Annual CERIAS Security Symposium Closing Keynote IT, OT, IoT — It's Really Just the "T": An International and Historical Perspective

Tim Benedict, The Future of AI Depends on Guardrails

Amir Sadovnik, What do we mean when we talk about AI Safety and Security?

Hisham Zahid &amp; David Haddad, Decrypting the Impact of Professional Certifications in Cybersecurity Careers

Ali Al-Haj, Zero Trust Architectures and Digital Trust Frameworks: A Complementary or Contradictory Relationship?

Adam Shostack, Risk is Not Axiomatic

Mustafa Abdallah, Effects of Behavioral Decision-Making in Proactive Security Frameworks in Networked Systems

D. Richard Kuhn, How Can We Provide Assured Autonomy?

Nick Harrell, Mechanisms of Virality in Online Discourse

Stanislav Kruglik, Querying Twice: How to Ensure We Obtain the Correct File in a Private Information Retrieval Protocol

Christopher Yeomans, Fairness as Equal Concession: Critical Remarks on Fair AI

Mason Rice, Adversarial C2 inside OT Networks

Yanxue Jia, HomeRun: High-efficiency Oblivious Message Retrieval, Unrestricted

Roger Grimes, Many Ways to Hack MFA

Alessandro Acquisti, Behavioral Advertising and Consumer Welfare

Xiaoqi Chen, SmartCookie: Blocking Large-Scale SYN Floods with a Split-Proxy Defense on Programmable Data Planes

Zhou Li, The Road Towards Accurate, Scalable and Robust Graph-based Security Analytics: Where Are We Now?

Michail Maniatakos, Dissecting the Software Supply Chain of Modern Industrial Control Systems

Chance Younkin, Shamrock Cyber – When Luck Just Isn't Enough

Ashok Vardhan Raja, Exploiting Vulnerabilities in AI-Enabled UAV: Attacks and Defense Mechanisms

Russel Waymire, IDART (Information Design Assurance Red Team): A Red Team Assessment Methodology

Chris Kubecka de Medina, Empowering the Next Generation of Digital Defenders: Ethics in Cybersecurity and Emerging Technologies

David Haddad, AI's Security Maze: Navigating AI's Top Cybersecurity Risks Through Strategic Planning and Resilient Operations

Shagufta Mehnaz, Privacy and Security in ML: A Priority, not an Afterthought

David Stracuzzi, Defining Trusted Artificial Intelligence for the National Security Space

Evan Sultanik, In Pursuit of Silent Flaws: Dataflow Analysis for Bugfinding and Triage

Daniel Shoemaker, Secure Sourcing of COTS Products: A Critical Missing Element in Software Engineering Education

Douglas Huelsbeck, The Importance of Security by Design & The Importance of Including Cybersecurity Experts in Your Business Decisions

Alejandro Cuevas, The Fault in Our Stars: How Reputation Systems Fail in Practice

Sanket Naik, Modern Enterprise Cybersecurity: A CISO perspective

Jennifer Bayuk, Stepping Through Cybersecurity Risk Management A Systems Thinking Approach

Jonathan (Jono) Spring, On Security Operations for AI Systems

Maksim Eren, Tensor Decomposition Methods for Cybersecurity

William Malik, Multifactor Authentication - The Problem, Recommendations, and Future Concerns

Solomon Sonya, Enhancing Cybersecurity via Lessons Learned from the Evolution of Malware

Leigh Metcalf, Grep for Evil

Sandhya Aneja, Invisible Signatures: Device Fingerprinting in a Connected World

Mu Zhang, Backtracking Intrusions in Modern Industrial Internet of Things

Robert Denz, Mind the Gap: Vulnerabilities and Opportunities for Cyber R&D at the Edge

Andy Ellis, How to Build and Measure a Corporate Security Program

Wen Masters, Cyber Risk Analysis for Critical Infrastructure

Steve Lipner, Thinking About the Future of Encryption

Courtney Falk, The Bride of the Pod People

Derek Dervishian, Fuzzing: Understanding the Landscape

Rebecca Herold, Sorting Surveillance Benefits from Harms

Khaled Serag, Vulnerability Identification and Defense Construction in Cyber-Physical Systems

Scott Sage, Erin Miller, How the Cyberspace Domain has Changed the Game for the Space Domain

Christopher Nuland, Enhancing Software Supply Chain Security in Distributed Systems

Stuart Shapiro, MITRE PANOPTIC™ Privacy Threat Model

Rita Foster, Cyber defender's plead - If it's not codified – Please go away

Dr. Anand Singh, The State of Software Supply Chain Security

Marina Gavrilova, Advancements and New Developments in Biometric Privacy, Security and Ethics

Kelly FitzGerald, Don't Copy That Floppy!: A History of Anti-cracking Controls in Early Video Games and Its Economic Impact

Sayak Ray, Pre-Silicon Hardware Security Analysis through Information Flow Tracking - Current Industry Applications and Research Questions

Wendy Nather, CERIAS Security Symposium Closing Keynote

Steve Bellovin, 35 Years of Protecting the Internet

Patrick Schlapfer, Using Endpoint Isolation to Track Malware Trends

Albert Cheng, Elements of Robust Real-Time Systems: Regularity-Based Virtualization and Functional Reactive Programming

Arjan Durresi, Trust Engineering – from Developing Resilient Systems to Artificial Conscience

Dean Cheng, Chinese Views of Information and Future Warfare

Ronald Keen, Increasing Dependency; Increasing Threat

Jason Ortiz, Securing Your Software Supply Chain

Aurobindo Sundaram, Our Journey in Phishing Mitigation

Mummoorthy Murugesan, Problems and Challenges in Data Security Posture Management

Ambrose Kam, Applying Multi-Agent Reinforcement Learning (MARL) in a Cyber Wargame Engine

Julie Haney, Users Are Not Stupid: Six Cybersecurity Pitfalls Overturned

Meng Xu, Fast and Reliable Formal Verification of Smart Contracts with the Move Prover

Brian Barnier &amp; Prachee Kale, Making Cybersecurity Reliable and Cybersecurity Careers Rewarding

Christine Task, Data, Privacy---and the Interactions Between Them

Ning Zhang, Security and Privacy in the Cyber-physical World

Florian Kerschbaum, On Using Differential Privacy

David C. Benson, Stop Selling Cybersecurity Short!: Cybersecurity as a Component of National Power

Maggie MacAlpine, Ransomware and the Future of Cyberwarfare

Dipankar Dasgupta, Adaptive Multi-Factor Authentication & Cyber Identity

Hisham Zahid & David Haddad, Decrypting the Impact of Professional Certifications in Cybersecurity Careers

Brian Barnier & Prachee Kale, Making Cybersecurity Reliable and Cybersecurity Careers Rewarding

Abhilasha Bhargav-Spantzel & Sonnie Ebikwo, "With great power comes great responsibility" – Responsible Cybersecurity Innovations and Investments for Cloud Computing

Melissa Hathaway & Francesca Spidalieri, Integrating Cybersecurity into Digital Development

Adwait Nadkarni, Building Practical Security Systems for the Post-App Smart Home