The University of Arizona

Events & News

CS Colloquium

DateThursday, November 3, 2016
Time11:00 am
Concludes12:15 pm
LocationGould-Simpson 906
DetailsPlease join us for coffee and light refreshments at 10:45am, Gould-Simpson, 9th Floor Atrium

Faculty Host: Dr. Christian Collberg
SpeakerMathias Payer
AffiliationPurdue University

Memory Corruption: Why Protection is Hard

Memory safety violations, e.g., buffer overflows or type confusions allow adversaries to take control of systems. As it is unlikely that all software bugs will be fixed, we must protect systems in the presence of such bugs. With the rise of defense techniques, attacks have become much more complicated, yet control-flow hijack attacks remain prevalent. Strong defense mechanisms are not yet widely deployed due to (i) the time it takes to roll out a security mechanism, (ii) incompatibility with specific features, and (iii) performance overhead. We will evaluate the security benefits and limitations of the status quo and look into stronger alternatives.

Control-Flow Integrity (CFI) and Code-Pointer Integrity (CPI) are two of the hottest upcoming defense mechanisms. CFI guarantees that the runtime control flow follows the statically determined control-flow graph. An attacker may reuse any of the valid transitions at any control-flow transfer. CPI, on the other hand, is a dynamic property that enforces memory safety guarantees like bounds checks for code pointers by separating code pointers from regular data. We will discuss differences and advantages/disadvantages of both approaches, especially considering their security guarantees and performance impacts, and look at strategies to defend against other attack vectors like type confusion.


Mathias Payer is a security researcher and an assistant professor in computer science at Purdue university, leading the HexHive group. His research focuses on protecting applications even in the presence of vulnerabilities, with a focus on memory corruption. He is interested in system security, binary exploitation, user-space software-based fault isolation, binary translation/recompilation, and (application) virtualization. Before joining Purdue in 2014, he spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012. In 2014, he founded the b01lers Purdue CTF team. All implementation prototypes from his group are open-source.