Proceedings ArticleDOI
Control-flow integrity
Martín Abadi,Mihai Budiu,Úlfar Erlingsson,Jay Ligatti +3 more
- pp 340-353
Reads0
Chats0
TLDR
Control-Flow Integrity provides a useful foundation for enforcing further security policies, as it is demonstrated with efficient software implementations of a protected shadow call stack and of access control for memory regions.Abstract:
Current software attacks often build on exploits that subvert machine-code execution. The enforcement of a basic safety property, Control-Flow Integrity (CFI), can prevent such attacks from arbitrarily controlling program behavior. CFI enforcement is simple, and its guarantees can be established formally even with respect to powerful adversaries. Moreover, CFI enforcement is practical: it is compatible with existing software and can be done efficiently using software rewriting in commodity systems. Finally, CFI provides a useful foundation for enforcing further security policies, as we demonstrate with efficient software implementations of a protected shadow call stack and of access control for memory regions.read more
Citations
More filters
Journal ArticleDOI
Vigilante: end-to-end containment of internet worms
Manuel Costa,Jon Crowcroft,Miguel Castro,Antony Rowstron,Lidong Zhou,Lintao Zhang,Paul Barham +6 more
TL;DR: Vigilante, a new end-to-end approach to contain worms automatically that addresses limitations of network-level techniques, can automatically contain fast-spreading worms that exploit unknown vulnerabilities without blocking innocuous traffic.
Proceedings Article
Control-Flow Integrity - Principles, Implementations, and Applications
TL;DR: Control-flow integrity provides a useful foundation for enforcing further security policies, as it is demonstrated with efficient software implementations of a protected shadow call stack and of access control for memory regions.
Proceedings ArticleDOI
SoK: Eternal War in Memory
TL;DR: The current knowledge about various protection techniques are systematized by setting up a general model for memory corruption attacks, and what policies can stop which attacks are shown, to analyze the reasons why protection mechanisms implementing stricter polices are not deployed.
Proceedings ArticleDOI
Return-oriented programming without returns
Stephen Checkoway,Lucas Davi,Alexandra Dmitrienko,Ahmad-Reza Sadeghi,Hovav Shacham,Marcel Winandy +5 more
TL;DR: It is shown that on both the x86 and ARM architectures it is possible to mount return-oriented programming attacks without using return instructions, and these attacks instead make use of certain instruction sequences that behave like a return.
Journal ArticleDOI
Control-flow integrity principles, implementations, and applications
TL;DR: Control-flow integrity (CFI) as discussed by the authors is a basic safety property, which can prevent malicious code from arbitrarily controlling program behavior, even with respect to powerful adversaries, and can be enforced formally.
References
More filters
Book
Compilers: Principles, Techniques, and Tools
TL;DR: This book discusses the design of a Code Generator, the role of the Lexical Analyzer, and other topics related to code generation and optimization.
Proceedings ArticleDOI
A sense of self for Unix processes
TL;DR: A method for anomaly detection is introduced in which "normal" is defined by short-range correlations in a process' system calls, and initial experiments suggest that the definition is stable during normal behaviour for standard UNIX programs.
Proceedings ArticleDOI
Proof-carrying code
TL;DR: It is shown in this paper how proof-carrying code might be used to develop safe assembly-language extensions of ML programs and the adequacy of concrete representations for the safety policy, the safety proofs, and the proof validation is proved.
Proceedings Article
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
Crispin Cowan,Calton Pu,Dave Maier,Heather Hintony,Jonathan Walpole,Peat Bakke,Steve Beattie,Aaron Grier,Perry Wagle,Qian Zhang +9 more
TL;DR: StackGuard is described: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties, and a set of variations on the technique that trade-off between penetration resistance and performance.
Proceedings ArticleDOI
Efficient software-based fault isolation
TL;DR: It is demonstrated that for frequently communicating modules, implementing fault isolation in software rather than hardware can substantially improve end-to-end application performance.