Write a Blog >>
ICSE 2020
Wed 24 June - Thu 16 July 2020
Thu 9 Jul 2020 00:00 - 00:12 at Baekje - P13-Security Chair(s): Joshua Garcia

Return-oriented programming (ROP) is an effective code-reuse attack in which short code sequences (i.e., gadgets) ending in a ret instruction are found within existing binaries and then executed by taking control of the call stack. The shadow stack, control flow integrity (CFI) and code (re)randomization are three popular techniques for protecting programs against return address overwrites. However, existing runtime rerandomization techniques operate on concrete return addresses, requiring expensive pointer tracking.

By adding one level of indirection, we introduce BarRA, the first shadow stack mechanism that applies continuous runtime rerandomization to abstract return addresses for protecting their corresponding concrete return addresses (protected also by CFI), thus avoiding expensive pointer tracking. As a nice side-effect, BarRA naturally combines the shadow stack, CFI and runtime rerandomization in the same framework. The key novelty of BarRA, however, is that once some abstract return addresses are leaked, BarRA will enforce the burn-after-reading property by rerandomizing the mapping from the abstract to the concrete return address space in the order of microseconds instead of seconds required for rerandomizing a concrete return address space. As a result, BarRA can be used as a superior replacement for the shadow stack, as demonstrated by comparing both using the 19 C/C++ benchmarks in SPEC CPU2006 (totalling 2,047,447 LOC) and analyzing a proof-of-concept attack, provided that we can tolerate some slight binary code size increases (by an average of 29.44%) and are willing to use 8MB of dedicated memory for holding up to $2^{20}$ return addresses (on a 64-bit platform). Under an information leakage attack (for some return addresses), the shadow stack is always vulnerable but BarRA is significantly more resilient (by reducing an attacker’s success rate to $\frac{1}{2^{20}}$ on average). In terms of the average performance overhead introduced, both are comparable: 6.09% (BarRA) vs. 5.38% (the shadow stack).

Thu 9 Jul

Displayed time zone: (UTC) Coordinated Universal Time change

00:00 - 01:00
P13-SecurityTechnical Papers / Software Engineering in Practice at Baekje
Chair(s): Joshua Garcia University of California, Irvine
00:00
12m
Talk
Burn After Reading: A Shadow Stack with Microsecond-level Runtime Rerandomization for Protecting Return AddressesTechnicalArtifact Available
Technical Papers
Changwei Zou UNSW Sydney, Jingling Xue UNSW Sydney
00:12
12m
Talk
Automated Identification of Libraries from Vulnerability DataSEIP
Software Engineering in Practice
Chen Yang Veracode, Inc., Andrew Santosa Veracode, Inc., Asankhaya Sharma Veracode, Inc., David Lo Singapore Management University
Pre-print Media Attached
00:24
12m
Talk
Unsuccessful Story about Few Shot Malware-Family Classification and Siamese Network to the RescueTechnical
Technical Papers
Yude Bai Tianjin University, Zhenchang Xing Australia National University, Xiaohong Li TianJin University, Zhiyong Feng Tianjin University, Duoyuan Ma Tianjin University
00:36
12m
Talk
SpecuSym: Speculative Symbolic Execution for Cache Timing Leak DetectionTechnical
Technical Papers
Shengjian Guo Baidu X-Lab, Yueqi Chen The Pennsylvania State University, Peng Li Baidu X-Lab, Yueqiang Cheng Baidu Security, Huibo Wang Baidu X-Lab, Meng Wu Ant Financial, Zhiqiang Zuo Nanjing University, China
00:48
12m
Talk
Building and Maintaining a Third-Party Library Supply Chain for Productive and Secure SGX Enclave DevelopmentSEIP
Software Engineering in Practice
Pei Wang Baidu X-Lab, Yu Ding Baidu X-Lab, Mingshen Sun Baidu X-Lab, Huibo Wang Baidu X-Lab, Tongxin Li Baidu X-Lab, Rundong Zhou Baidu X-Lab, Zhaofeng Chen , Yiming Jing Baidu X-Lab