Reasoning about Probabilistic Defense Mechanisms against Remote Attacks

Abstract

Despite numerous countermeasures proposed by practitioners andresearchers, remote control-flow alteration of programs withmemory-safety vulnerabilities continues to be a realisticthreat. Guaranteeing that complex software is completely free of memory-safety vulnerabilities is extremely expensive. Probabilistic countermeasures that depend on random secret keys are interesting, because they are an inexpensive way to raise the bar for attackers who aim to exploit memory-safety vulnerabilities. Moreover, some countermeasures even support legacy systems. However, it is unclear how to quantify and compare the effectiveness of different probabilistic countermeasures or combinations of such countermeasures. In this paper we propose a methodology to rigorously derive security boundsfor probabilistic countermeasures. We argue that by representingsecurity notions in this setting as events in probabilistic games, similarly as done with cryptographic security definitions, concreteand asymptotic guarantees can be obtained against realisticattackers. These guarantees shed light on the effectiveness of singlecountermeasures and their composition and allow practitioners to moreprecisely gauge the risk of an attack.