GGrantIndex
← Search

CRII: SaTC: Comprehensive and Automated Techniques for Evaluating Defenses Against Code Reuse Attacks

$189,501FY2015CSENSF

University Of Rochester, Rochester NY

Investigators

Abstract

Modern society relies on computers to manage and transmit sensitive data. These computers run our banks, provide our telecommunications services (such as phone, TV, and Internet), and operate critical systems found in automobiles and power grids. The software on these systems is vulnerable to automated attacks and, if attacked successfully, can be used to cause the loss of money, property, and life. While researchers have developed automated, easy-to-use countermeasures to thwart such attacks, it is unclear whether these countermeasures work. Existing evaluations of such countermeasures are typically expensive because they are done by hand. They are also often wrong; attackers are able to defeat such countermeasures by increasing the sophistication of their attacks. If we do not know how well our defenses work, we do not know if we are safe. One common type of automated attack is the code reuse attack. This research investigates techniques and develops a tool that automatically determines whether a given countermeasure prevents code reuse attacks from working. This tool uses comprehensive static analysis to automatically determine which program instructions a code reuse attack may employ, whether the malicious computations of an attack can be mapped to those instructions, and whether the defense being analyzed prevents those instructions from being executed in the required order. The tool is automated and its static analysis is designed to aggressively consider all potential ways in which an attacker can reuse code in an attack. With this tool, users can determine whether existing defenses suffice to protect our computers or whether additional defenses are necessary. The project is developing metrics to enable tool users to compare defenses and state the level of security that a defense provides to a given program.

View original record on NSF Award Search →