Software have always had faults that can be exploited to gain unauthorized access on systems, exfiltrate data, install undesired software, etc. Through the passage of years, new defenses, such as ASLR, DEP, and stack cookies, have significantly raised the bar making exploitation much harder. However, attackers have also evolved and recent attacks show an increased level of sophistication. Code-reuse attacks based on return oriented programming are a prime example of the latter. Such attacks have reignited research interest in various instantiations of control-flow integrity (CFI), which in its ideal form prevents flows of control that were not intended by the original program. These works have focused on a looser notion of CFI which can be deployed, sometimes with hardware support, on unmodified binaries and with little overhead. In this talk, I will discuss how recent CFI approaches work and present our work on evaluating their effectiveness in terms of security. Specifically, I will show that attacks are still possible, so, even though the bar is raised yet one more time, some control-flow integrity is not enough.
Georgios Portokalidis is an assistant Professor in the Computer Science Department at Stevens Institute of Technology. He obtained his doctorate degree from Vrije Universiteit in Amsterdam. His research interests are mainly around the area of systems security, but extend to network monitoring, operating systems, and virtualization technologies. His work focuses on improving the security of existing software on commodity systems, and using virtualization to retrofit software with protection mechanisms. More recently, he has been involved with improving software reliability and availability, mobile device security, and privacy issues.
