Fighting the Memory War: Stopping Control-Flow Hijack Attacks

Mathias Payer (Purdue University)

Abstract: Memory corruption vulnerabilities are omni-present for programs written in low-level languages like C or C++. Attackers use such vulnerabilities to escalate or gain privileges on a machine by hijacking control-flow and executing attacker-controlled code. Strong defense mechanisms either enforce (some form of) memory safety or detect when an exploit is happening. Unfortunately, deployment of new defenses is slow as they either (i) have prohibitive performance overhead, (ii) do not support features like libraries, or (iii) require heavy-weight system and source code changes.
We present Lockdown, a dynamic, modular Control-Flow Integrity mechanism that protects applications against realistic control-flow hijack attacks. Lockdown is a binary-only approach that uses dynamic binary analysis and dynamic binary translation to rewrite and protect applications as they are being executed. Our open-source prototype implementation has low overhead in practice (less than 19% for SPEC CPU2006).

Bio: Mathias Payer is a security researcher and an assistant professor in computer science at Purdue university. His interests are related to system security, binary exploitation, user-space software-based fault isolation, binary translation/recompilation, and (application) virtualization. His research focuses on protecting applications even in the presence of vulnerabilities, with a focus on memory corruption.