Position Paper: Towards a Hybrid Approach to Protect Against Memory Safety Vulnerabilities

2022 IEEE Secure Development Conference (SecDev) Pub Date : 2021-06-05 DOI:10.1109/SecDev53368.2022.00020

A. Bhayat, L. Cordeiro, Giles Reger, F. Shmarov, Konstantin Korovin, T. Melham, Kaled Alshamrany, Mustafa A. Mustafa, Pierre Olivier

{"title":"Position Paper: Towards a Hybrid Approach to Protect Against Memory Safety Vulnerabilities","authors":"A. Bhayat, L. Cordeiro, Giles Reger, F. Shmarov, Konstantin Korovin, T. Melham, Kaled Alshamrany, Mustafa A. Mustafa, Pierre Olivier","doi":"10.1109/SecDev53368.2022.00020","DOIUrl":null,"url":null,"abstract":"Memory corruption bugs continue to plague low-level systems software, generally written in unsafe programming languages. In order to detect and protect against such exploits, many pre- and post-deployment techniques exist. In this position paper, we propose and motivate the need for a hybrid approach for the protection against memory safety vulnerabilities, com-bining techniques that can identify the presence (and absence) of vulnerabilities pre-deployment with those that can detect and mitigate such vulnerabilities post-deployment. Our proposed hy-brid approach involves three layers: hardware runtime protection provided by capability hardware, software runtime protection provided by compiler instrumentation, and static analysis pro-vided by bounded model checking and symbolic execution. The key aspect of the proposed hybrid approach is that the protection offered is greater than the sum of its parts - the expense of post-deployment runtime checks is potentially reduced via information obtained during pre-deployment analysis. During pre-deployment analysis, static checking can be guided by runtime information.","PeriodicalId":407946,"journal":{"name":"2022 IEEE Secure Development Conference (SecDev)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-06-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Secure Development Conference (SecDev)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SecDev53368.2022.00020","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Memory corruption bugs continue to plague low-level systems software, generally written in unsafe programming languages. In order to detect and protect against such exploits, many pre- and post-deployment techniques exist. In this position paper, we propose and motivate the need for a hybrid approach for the protection against memory safety vulnerabilities, com-bining techniques that can identify the presence (and absence) of vulnerabilities pre-deployment with those that can detect and mitigate such vulnerabilities post-deployment. Our proposed hy-brid approach involves three layers: hardware runtime protection provided by capability hardware, software runtime protection provided by compiler instrumentation, and static analysis pro-vided by bounded model checking and symbolic execution. The key aspect of the proposed hybrid approach is that the protection offered is greater than the sum of its parts - the expense of post-deployment runtime checks is potentially reduced via information obtained during pre-deployment analysis. During pre-deployment analysis, static checking can be guided by runtime information.

查看原文本刊更多论文

立场文件:迈向防止内存安全漏洞的混合方法

内存损坏bug继续困扰底层系统软件，这些软件通常是用不安全的编程语言编写的。为了检测和防范此类漏洞，存在许多部署前和部署后技术。在这篇意见书中，我们提出并推动了一种针对内存安全漏洞保护的混合方法的需求，将能够在部署前识别漏洞存在(或不存在)的技术与能够在部署后检测和减轻此类漏洞的技术相结合。我们提出的混合方法包括三层:由功能硬件提供的硬件运行时保护，由编译器插装提供的软件运行时保护，以及由有界模型检查和符号执行提供的静态分析。所建议的混合方法的关键方面是所提供的保护大于其各部分的总和——通过在部署前分析期间获得的信息，可以潜在地减少部署后运行时检查的费用。在预部署分析期间，静态检查可以由运行时信息指导。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE Secure Development Conference (SecDev)

自引率

0.00%

发文量