A general prerequisite for a code reuse attack is that the attacker needs to locate gadgets perform desired operations and then direct control flow of vulnerable application those gadgets. Address Space Layout Randomization (ASLR) attempts stop attacks by making first part unsatisfiable. However, research in recent years has shown this protection often defeated commonly existing information leaks, which provides attackers clues about whereabouts certain In paper, we present ASLR-Guard, novel...

The operation system kernel is the foundation of whole and often de facto trusted computing base for many higher level security mechanisms.Unfortunately, vulnerabilities are not rare continuously being introduced with new features.Once compromised, attackers can bypass any access control checks, escalate their privileges, hide evidence attacks.Many protection mechanisms have been proposed deployed to prevent exploits.However, a majority these techniques only focus on preventing control-flow...

Existing techniques for memory randomization such as the widely explored Address Space Layout Randomization (ASLR) perform a single, per-process that is applied before or at process' load-time.The efficacy of upfront randomizations crucially relies on assumption an attacker has only one chance to guess randomized address, and this attack succeeds with very low probability.Recent research results have shown not valid in many scenarios, e.g., daemon servers fork child processes inherent state...

During system call execution, it is common for operating kernels to read userspace memory multiple times (multi-reads). A critical bug may exist if the fetched subject change across these reads, i.e., a race condition, which known as double-fetch bug. Prior works have attempted detect bugs both statically and dynamically. However, due their improper assumptions imprecise definitions regarding bugs, multi-read detection inherently limited suffers from significant false positives negatives....

System software commonly uses indirect calls to realize dynamic program behaviors. However, indirect-calls also bring challenges constructing a precise control-flow graph that is standard pre-requisite for many static program-analysis and system-hardening techniques. Unfortunately, identifying indirect-call targets hard problem. In particular, modern compilers do not recognize by default. Existing approaches identify based on type analysis matches the types of function pointers ones...

Operating system kernel is the de facto trusted computing base for most computer systems. To secure OS kernel, many security mechanisms, e.g., kASLR and StackGuard, have been increasingly deployed to defend against attacks (e.g., code reuse attack). However, effectiveness of these protections has proven be inadequate-there are information leak vulnerabilities in randomized pointer or canary, thus bypassing StackGuard. Other sensitive data such as cryptographic keys file caches, can also...

Fuzzing is popular for bug detection and vulnerability discovery nowadays.To adopt fuzzing concurrency problems like data races, several recent approaches consider information of program execution, explore thread interleavings by affecting scheduling at runtime.However, these are still limited in data-race detection.On the one hand, they fail to execution contexts interleavings, which can miss real races specific runtime contexts.On other perform random thread-interleaving exploration,...

This paper introduces a novel fuzzing framework, SyzParam which incorporates runtime parameters into the process. Achieving this objective requires addressing several key challenges, including valid value extraction, inter-device relation construction, and fuzz engine integration. By inspecting data structures functions associated with LKDM, our tool can extract across various drivers through static analysis. Additionally, collects relations identifies associations between drivers....

Operating system kernels carry a large number of security checks to validate security-sensitive variables and operations. For example, check should be embedded in code ensure that user-supplied pointer does not point the kernel space. Using security-checked is typically safe. However, reality, are often subject modification after check. If recheck lacking modification, issues may arise, e.g., adversaries can control checked variable launch critical attacks such as out-of-bound memory access...

A flurry of fuzzing tools (fuzzers) have been proposed in the literature, aiming at detecting software vulnerabilities effectively and efficiently. To date, it is however still challenging to compare fuzzers due inconsistency benchmarks, performance metrics, and/or environments for evaluation, which buries useful insights thus impedes discovery promising primitives. In this paper, we design develop UNIFUZZ, an open-source metrics-driven platform assessing a comprehensive quantitative manner....

Many software obfuscation techniques have been proposed to hide program instructions or logic and make reverse engineering hard. In this paper, we introduce a new property in obfuscation, namely steganography, where certain are "diffused" others such way that they non-existent until execution. Program steganography does not raise suspicion analysis, conforms the W⊕X mandatory code signing security mechanisms. We further implement RopSteg, novel system, provide (to degree) using...

With the rapid technology evolution of Internet Things (IoT) and increasing user needs, IoT device re-using becomes more common nowadays. For instance, than 300,000 used devices are selling on Craigslist. During re-using, sensitive data such as credentials biometrics residing in these may face risk leakage if a fails properly dispose data. Thus, critical security concern is raised: do (or can) users IoT? To best our knowledge, it still an unexplored problem that desires systematic study.In...

A bug is a vulnerability if it has security impacts when triggered.Determining the of important to both defenders and attackers.Maintainers large software systems are bombarded with numerous reports proposed patches, missing or unreliable information about their impact.Determining which few bugs vulnerabilities difficult, that maintainer believes do not have impact will be de-prioritized even ignored.On other hand, public report powerful first step towards exploitation.Adversaries may...

With the wide deployment of security mechanisms such as Address Space Layout Randomization (ASLR), memory disclosures have become a prerequisite for critical memory-corruption attacks (e.g., code-reuse attack)-adversaries are forced to exploit circumvent ASLR first step. As result, threats now significantly aggravated-they break not only data confidentiality but also effectiveness mechanisms. In this paper, we propose general detection methodology and develop system stop disclosures. We...

We propose a novel dynamic software watermarking design based on Return-Oriented Programming (ROP). Our formats code into well-crafted data arrangements that look like normal but could be triggered to execute. Once triggered, the pre-constructed ROP execution will recover hidden watermark message. The proposed ROP-based technique is more stealthy and resilient over existing techniques since allocated dynamically region therefore out of reach attacks analysis. Evaluations show our not only...

Memory-corruption attacks such as code-reuse and data-only have been a key threat to systems security. To counter these threats, researchers proposed variety of defenses, including control-flow integrity (CFI), code-pointer (CPI), code (re-)randomization. All them, be effective, require security primitive—intra-process protection confidentiality and/or for sensitive data (such CFI's shadow stack CPI's safe region).In this paper, we propose SEIMI, highly efficient intra-process memory...