MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation

Link: https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-pailoor.pdfSource Code: N/A Summary: Syzkaller is one of the most popular kernel fuzzer. It generates a sequence of random system calls. Due to the randomness, most of them are unrealistic cases. They lose the efficiency because they don’t consider dependency (both implicit and explicit) among system calls. There are some other kernel fuzzer who uses…

RAZZER: Finding Kernel Race Bugs through Fuzzing 

Link: https://lifeasageek.github.io/papers/jeong:razzer.pdfSource Code: https://github.com/compsec-snu/razzer Background: A user program can invoke different syscalls in arbitrary order. The syscalls will eventually execute different kernel codes. If syscalls are invoked from two different user threads, then their respective kernel code will also be executed in two different kernel threads. This characteristic raises interesting questions: Could a user program…

GRIFFIN: Guarding Control Flows Using Intel Processor Trace

Link:https://dl.acm.org/citation.cfm?id=3037716Source Code:https://github.com/TJAndHisStudents/Griffin-Trace Summary: The author only attempt to prove the performance overhead optimization using Intel PT for online verification. They claim to verify the enforcement policy for both backward and forward indirect control transfer with different strictness of policy when they completely discard the discussion regarding how they achieve these policies to verify with. Design: To efficiently…

Transparent and Efficient CFI Enforcement with Intel Processor Trace

Link: http://ieeexplore.ieee.org/document/7920853/#full-text-sectionSource Code: N/A Summary: The project is aiming to protect indirect control transfer through coarse-grained indirect control flow graph using Intel PT only at security sensitive system call point. The system uses a fast and slow check hybrid method to achieve efficiency. The fast check doesn’t require to decode the trace and only available…

PT-CFI: Transparent Backward-Edge Control Flow Violation Detection Using Intel Processor Trace

Link: https://dl.acm.org/citation.cfm?doid=3029806.3029830Source Code: N/A Summary: Intel PT is an Intel hardware support for offline debugging. It can capture compressed data packets for indirect control flow transfer, conditional branch taken/not taken etc. PT-CFI attempts to use the hardware feature for the backward edges through enforcing a shadow style protection. It leaves forward indirect control transfer out…

HexType: Efficient Detection of Type Confusion Errors for C++

Link: https://dl.acm.org/citation.cfm?id=3134062Source Code: https://github.com/HexHive/HexType Summary: In a type-based programming language, typecasting is a common phenomenon. With the object-oriented programming paradigm, this feature turns into a dangerous attack surface. When a derived class object cast to parent class object (upcast), it is usually safe, considering parent class is a subset of the derived class. On the…

Stack Bounds Protection with Low Fat Pointers

Link: https://www.comp.nus.edu.sg/~gregory/papers/ndss17stack.pdfSource Code: https://github.com/GJDuck/LowFat Summary: The research work is an extension of their another work (Heap bounds protection with low-fat pointers). The concept of low-fat pointers are originated in the previous paper, they provide well-details of that too. The basic concept of low-fat pointers is: use the pointer memory itself to calculate its object boundary instead of extending…

Block Oriented Programming: Automating Data-Only Attacks

Link: https://dl.acm.org/citation.cfm?id=3243739Source Code: https://github.com/HexHive/BOPC Summary: Vulnerable software with an active defense system (e.g. Control-Flow Integrity, Shadow Stack, Address Space Randomization etc.) is hard to exploit. Control Flow Integrity (CFI) restrict execution within valid control flows, although because of the weak control flow graph (CFG), the coarse-grained CFI system allows overapproximating control transfers. This keeps open…

k-hunt: Pinpointing Insecure Cryptographic Keys from Execution Traces

Link: http://web.cse.ohio-state.edu/~lin.3021/file/CCS18.pdfSource Code: https://github.com/GoSSIP-SJTU/k-hunt Summary: It would be useful for attackers if they can identify the memory location where an application store its cryptographic keys. It will be more useful to do taint analysis for various purpose (e.g. identify if a key is insecure). This research uses an online dynamic verification system to identify the…

Enforcing Unique Code Target Property for Control-Flow Integrity

Link: https://dl.acm.org/citation.cfm?id=3243797Source Code: https://github.com/uCFI-GATech Summary: The project has tried to achieve an ambitious goal: based on their execution history, enforce a CFI policy that will allow only one valid target for an indirect jump/call. For decades, researchers have tried to design a strict enforcement, a strong CFI policy. But the performance overhead and complex real-world…