SYSTEMATIC ANALYSIS AND EVALUATION OF MEMORY CORRUPTION ATTACKS IN THE SPECTRA ERA

Abstract

Security researchers commonly explore attacks and defenses with a focus on one specific threat model. For example, researchers generally consider memory corruption vulnerabilities [10, 18, 20, 80, 81, 90, 93, 102] and speculative execution vulnerabilities [1, 14, 16, 25, 42, 49, 50, 58, 60, 85, 95, 96] as two different threat models and have proposed very different mitigation mechanisms for each of them. However, a key problem in such a research approach is that it is easy to miss vulnerabilities that arise from the synergies between multiple threat models. In this proposal, we aim to identify and address the limitation of such a research approach by studying the synergies between memory corruption vulnerabilities and speculative execution vulnerabilities, two of the long-lasting security threats. Given that both security vulnerabilities seriously affect a wide range of software and hardware systems, there has been extensive work on developing mitigations against each of these vulnerabilities. However, almost all the prior work only focuses on one of the threats, but never both. As a motivating example, PI Yan has demonstrated the PACMAN attacks [79], which leverage speculative execution attacks to break an important security feature called ARM Pointer Authentication (ARM PA for short) [78], a memory safety mechanism that protects pointer integrity and works as the primary barrier to gaining arbitrary code execution [93]. Our work highlights the necessity of considering comprehensive threat models and calls for a more systematic and thorough research methodology for designing secure systems against hybrid attack vectors. Moreover, the key insight is that the PACMAN attacks are not specific to the ARM PA mechanism [9, 78]. The philosophy behind the PACMAN attacks is fundamental and general that could affect a wide range of memory corruption mitigation mechanisms. We propose two synergistic tasks to systematically analyze and evaluate memory corruption attacks under the speculative execution attack threat model. Task 1 aims to conduct a comprehensive security analysis of existing defenses, including both deployed mechanisms developed in industry and futuristic defenses proposed in academia. We will start with a systematic categorization of existing mitigations and provide guidelines for categorizing future designs. Task 2 aims to investigate practical attack vectors on these vulnerable mitigation mechanisms, demonstrate proof-of- concept exploitations, and provide a comprehensive evaluation of possible attack variations. We plan to develop a toolset to evaluate attack variations in terms of the availability of speculative gadgets, attack bandwidth, and attack accuracy to better assess the threats of each attack vector. The evaluation results can be used to quantitatively compare the robustness of different mitigation mechanisms and guide the design of the next-generation memory corruption mitigations. Overall, this proposal studies a new research direction that has been scarcely explored by the other researchers before. Prior work generally narrowly focuses on a single threat model, either memory corruption vulnerabilities or speculative execution vulnerabilities. We innovatively look at security problems that arise from the synergies between the two threat models and strive to establish a foundation for people to explore robust mitigation solutions that will be resilient to hybrid attack vectors.

Document Details

Document Type

DoD Grant Award

Publication Date

Apr 20, 2023

Source ID

FA95502210511

Entities

Tags