Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, Control-Flow Integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is simple, and its guarantees can be established formally even with respect to powerful adversaries. Moreover, CFI enforcement is practical: it is compatible with existing software and can be done efficiently using software rewriting in commodity systems. Finally, CFI provides a useful foundation for enforcing further security policies, as we demonstrate with efficient software implementations of a protected shadow call stack and of access control for memory regions.

/pdf/control-flow-integrity-527y2pjmui.pdf

Control-flow integrity

We describe a new, general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoff's principle, by creating process-specific randomized instruction sets (e.g., machine instructions) of the system executing potentially vulnerable software. An attacker who does not know the key to the randomization algorithm will inject code that is invalid for that randomized processor, causing a runtime exception. To determine the difficulty of integrating support for the proposed mechanism in the operating system, we modified the Linux kernel, the GNU binutils tools, and the bochs-x86 emulator. Although the performance penalty is significant, our prototype demonstrates the feasibility of the approach, and should be directly usable on a suitable-modified processor (e.g., the Transmeta Crusoe).Our approach is equally applicable against code-injecting attacks in scripting and interpreted languages, e.g., web-based SQL injection. We demonstrate this by modifying the Perl interpreter to permit randomized script execution. The performance penalty in this case is minimal. Where our proposed approach is feasible (i.e., in an emulated environment, in the presence of programmable or specialized hardware, or in interpreted languages), it can serve as a low-overhead protection mechanism, and can easily complement other mechanisms.

/pdf/countering-code-injection-attacks-with-instruction-set-1m4firgxpp.pdf

Countering code-injection attacks with instruction-set randomization

Cyclone is a safe dialect of C. It has been designed from the ground up to prevent the buffer overflows, format string attacks, and memory management errors that are common in C programs, while retaining C’s syntax and semantics. This paper examines safety violations enabled by C’s design, and shows how Cyclone avoids them, without giving up C’s hallmark control over low-level details such as data representation and memory management.

/pdf/cyclone-a-safe-dialect-of-c-4nks1e2hk6.pdf

Cyclone: A Safe Dialect of C

This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service attacks. We review the state-of-art mechanisms for defending against denial of service attacks, compare the strengths and weaknesses of each proposal, and discuss potential countermeasures against each defense mechanism. We conclude by highlighting opportunities for an integrated solution to solve the problem of distributed denial of service attacks.

/pdf/survey-of-network-based-defense-mechanisms-countering-the-4arcuz8045.pdf

Survey of network-based defense mechanisms countering the DoS and DDoS problems

Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, control-flow integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is simple and its guarantees can be established formally, even with respect to powerful adversaries. Moreover, CFI enforcement is practical: It is compatible with existing software and can be done efficiently using software rewriting in commodity systems. Finally, CFI provides a useful foundation for enforcing further security policies, as we demonstrate with efficient software implementations of a protected shadow call stack and of access control for memory regions.

Control-Flow Integrity - Principles, Implementations, and Applications

Most security attacks exploit instances of well-known classes of implementation flaws. Developers could detect and eliminate many of these flaws before deploying the software, yet these problems persist with disturbing frequency-not because the security community doesn't sufficiently understand them but because techniques for preventing them have not been integrated into the software development process. This article describes an extensible tool that uses lightweight static analysis to detect common security vulnerabilities (including buffer overflows and format string vulnerabilities).

/pdf/improving-security-using-extensible-lightweight-static-1j0yiwids5.pdf

Improving security using extensible lightweight static analysis

Buffer overflow attacks may be today's single most important security threat. This paper presents a new approach to mitigating buffer overflow vulnerabilities by detecting likely vulnerabilities through an analysis of the program source code. Our approach exploits information provided in semantic comments and uses lightweight and efficient static analyses. This paper describes an implementation of our approach that extends the LCLint annotation-assisted static checking tool. Our tool is as fast as a compiler and nearly as easy to use. We present experience using our approach to detect buffer overflow vulnerabilities in two security-sensitive programs.

/pdf/statically-detecting-likely-buffer-overflow-vulnerabilities-3kapf1xcp8.pdf

Statically detecting likely buffer overflow vulnerabilities

The agglomeration of rules and regulations over time has produced a body of legal code that no single individual can fully comprehend. This complexity produces inefficiencies, makes the processes of understanding and changing the law difficult, and frustrates the fundamental principle that the law should provide fair notice to the governed. In this article, we take a quantitative, unbiased, and software-engineering approach to analyze the evolution of the United States Code from 1926 to today. Software engineers frequently face the challenge of understanding and managing large, structured collections of instructions, directives, and conditional statements, and we adapt and apply their techniques to the U.S. Code over time. Our work produces insights into the structure of the U.S. Code as a whole, its strengths and vulnerabilities, and new ways of thinking about individual laws. For example, we identify the first appearance and spread of important terms in the U.S. Code like "whistleblower" and "privacy." We also analyze and visualize the network structure of certain substantial reforms, including the Patient Protection and Affordable Care Act (PPACA) and the Dodd-Frank Wall Street Reform and Consumer Protection Act, and show how the interconnections of references can increase complexity and create the potential for unintended consequences. Our work is a timely illustration of computational approaches to law as the legal profession embraces technology for scholarship, to increase efficiency, and to improve access to justice.

/pdf/law-is-code-a-software-engineering-approach-to-analyzing-the-6g8jiprjmh.pdf

Law is Code: A Software Engineering Approach to Analyzing the United States Code

The agglomeration of rules and regulations over time has produced a body of legal code that no single individual can fully comprehend. This complexity produces inefficiencies, makes the processes of understanding and changing the law difficult, and frustrates the fundamental principle that the law should provide fair notice to the governed. In this Article, we take a quantitative, unbiased, and softwareengineering approach to analyze the evolution of the United States Code from 1926 to today. Software engineers frequently face the challenge of understanding and managing large, structured collections of instructions, directives, and conditional statements, and we adapt and apply their techniques to the U.S. Code over time. Our work produces insights into the structure of the U.S. Code as a whole, its strengths and vulnerabilities, and new ways of thinking about individual laws. For example, we identify the first appearance and spread of important terms in the U.S. © 2015 William Li, Pablo Azar, David Larochelle, Phil Hill, and Andrew W. Lo * William Li is a Ph.D. student in the Computer Science and Artificial Intelligence Laboratory (CSAIL) and a 2012 graduate of the Technology and Policy Program at the Massachusetts Institute of Technology (MIT). ** Pablo Azar is a doctoral student in Economics at the Massachusetts Institute of Technology (MIT) and a 2014 Computer Science Ph.D. graduate of MIT. *** David Larochelle is an engineer at the Berkman Center for Internet & Society at Harvard University. **** Phil Hill is an associate with Kirkland & Ellis LLP. He is a past Fellow at the Berkman Center for Internet & Society at Harvard University and a 2013 J.D. graduate of Harvard Law School. ***** Andrew W. Lo is the Charles E. and Susan T. Harris Professor at the MIT Sloan School of Management, Principal Investigator in the Computer Science and Artificial Intelligence Laboratory (CSAIL) at the Massachusetts Institute of Technology (MIT), and a joint faculty in the MIT Electrical Engineering and Computer Science Department. † We thank seminar participants at Columbia University, Indiana University, the International Monetary Fund, MIT’s Computer Science and Artificial Intelligence Laboratory, Harvard’s Berkman Center for Internet & Society, the 2015 New England Database Day conference, the Pacific Institute of Mathematical Sciences, and Yale Law School for helpful comments and discussion. Research support from the MIT Laboratory for Financial Engineering is gratefully acknowledged. We also thank Jayna Cummings, the Journal of Business & Technology Law’s editor-in-chief, Nicholas R. Rodriguez, and the Journal’s editorial board for many helpful editorial comments.

/pdf/law-is-code-a-software-engineering-approach-to-analyzing-the-39s1ggluen.pdf

David Larochelle

Papers

Improving security using extensible lightweight static analysis

Statically detecting likely buffer overflow vulnerabilities

Law is Code: A Software Engineering Approach to Analyzing the United States Code

Law Is Code: A Software Engineering Approach to Analyzing the United States Code

focus Security Using Extensible Lightweight Static Analysis