Concurrency Attacks and Defenses

Abstract

Multithreaded programs are getting increasingly pervasive and critical. Unfortunately, they remain extremely difficult to write. This difficulty has led to many subtle but serious concurrency vulnerabilities such as race conditions in real-world multithreaded programs. Just as vulnerabilities in sequential programs can lead to security exploits, concurrency vulnerabilities can also be exploited by attackers to gain privilege, steal information, inject arbitrary code, etc. Concurrency attacks targeting these vulnerabilities are impending (see CVE http://www.cvedetails.com/vulnerability-list/cweid-362/vulnerabilities.html), yet few existing defense techniques can deal with concurrency vulnerabilities. In fact, many of the traditional defense techniques are rendered unsafe by concurrency vulnerabilities. The objective of this project is to take a holistic approach to creating novel program analysis/protection techniques and a system called DASH to secure multithreaded programs and harden traditional defense techniques in a concurrency environment. We do so by selectively combining static and dynamic techniques, thus getting the best of both worlds. We anticipate numerous contributions from this project; the main ones are: (1) a thorough understanding of concurrency attacks and their implications to traditional defense techniques; (2) accurate and effective techniques to detect, avoid, and survive concurrency vulnerabilities; and (3) hardening of traditional defense techniques for multithreaded programs. The greatest impact of our project is a novel approach and the DASH system for improving software security and reliability, thus greatly benefiting the Nation's cyber security. DASH can also be used for offense: the Military can gain new competitive means in cyber warfare by running DASH to identify concurrency vulnerabilities in the infrastructure of hostile nations.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Oct 04, 2016
Accession Number
AD1021894

Entities

People

  • Junfeng Yang

Organizations

  • Columbia University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Classification
  • Computer Programming
  • Computer Science
  • Computer Security
  • Computers
  • Cyber Warfare
  • Cyberattacks
  • Detection
  • Governments
  • Information Security
  • Infrastructure
  • Intellectual Property
  • Language
  • Law
  • Multithreading
  • New York
  • Operating Systems
  • Programming Languages
  • Quality Assurance
  • Reliability
  • Scientific Research
  • Security
  • Software Development
  • Technology Transfer
  • Universities
  • Vulnerability

Fields of Study

  • Computer science

Readers

  • Applied Combinatorial Optimization and Logic Circuit Design.
  • Cybersecurity.
  • Systems Analysis and Design

Technology Areas

  • Cyber