This contribution deals with the design of faultisolation observers (FIOs). Their purpose is to detect and isolate faults acting on linear systems by means of only a single observer. While parameterizations for such ...
详细信息
ISBN:
(纸本)9781467346009
This contribution deals with the design of faultisolation observers (FIOs). Their purpose is to detect and isolate faults acting on linear systems by means of only a single observer. While parameterizations for such observers have been proposed for statically isolable systems, we generalize the existing results to linear systems without the restriction of a non-singular fault detectability matrix. To achieve faultisolation in such systems, we introduce virtual system extensions, which enable stable isolation. These virtual augmentations are then realized by dynamically extended faultisolation observers (DFIOs). Apart from that the proposed design allows to isolate both actuator and sensor faults.
Heap memory errors remain a major source of software vulnerabilities. Existing memory safety defenses aim at protecting all objects, resulting in high performance cost and incomplete protection. Instead, we propose an...
详细信息
ISBN:
(纸本)9798400706363
Heap memory errors remain a major source of software vulnerabilities. Existing memory safety defenses aim at protecting all objects, resulting in high performance cost and incomplete protection. Instead, we propose an approach that accurately identifies objects that are inexpensive to protect, and design a method to protect such objects comprehensively from all classes of memory errors. Towards this goal, we introduce the Uriah system that (1) statically identifies the heap objects whose accesses satisfy spatial and type safety, and (2) dynamically allocates such "safe" heap objects on an isolated safe heap to enforce a form of temporal safety while preserving spatial and type safety, called temporal allocated-type safety. Uriah finds 72.0% of heap allocation sites produce objects whose accesses always satisfy spatial and type safety in the SPEC CPU2006/2017 benchmarks, 5 server programs, and Firefox, which are then isolated on a safe heap using Uriah allocator to enforce temporal allocated-type safety. Uriah incurs only 2.9% and 2.6% runtime overhead, along with 9.3% and 5.4% memory overhead, on the SPEC CPU 2006 and 2017 benchmarks, while preventing exploits on all the heap memory errors in DARPA CGC binaries and 28 recent CVEs. Additionally, using existing defenses to enforce their memory safety guarantees on the unsafe heap objects significantly reduces overhead, enabling the protection of heap objects from all classes of memory errors at more practical costs.
The standard loader (1d. so) is a common target of attacks. The loader is a trusted component of the application, and faults in the loader are problematic;e.g., they may lead to local privilege escalation for SUID bin...
详细信息
ISBN:
(纸本)9780769546810
The standard loader (1d. so) is a common target of attacks. The loader is a trusted component of the application, and faults in the loader are problematic;e.g., they may lead to local privilege escalation for SUID binaries. software-based fault isolation (SFI) provides a framework to execute arbitrary code while protecting the host system. A problem of current approaches to SFI is that faultisolation is decoupled from the dynamic loader, which is treated as a black box. The sandbox has no information about the (expected) execution behavior of the application and the connections between different shared objects. As a consequence, SFI is limited in its ability to identify devious application behavior. This paper presents a new approach to run untrusted code in a user-space sandbox. The approach replaces the standard loader with a security-aware trusted loader. The secure loader and the sandbox together cooperate to allow controlled execution of untrusted programs. A secure loader makes security a first class concept and ensures that the SFI system does not allow any unchecked code to be executed. The user-space sandbox builds on the secure loader and subsequently dynamically checks for malicious code and ensures that all control flow instructions of the application adhere to an execution model. The combination of the secure loader and the user-space sandbox enables the safe execution of untrusted code in user-space. Code injection attacks are stopped before any unintended code is executed. Furthermore, additional information provided by the loader can be used to support additional security properties, e.g., inlining of Procedure Linkage Table calls reduces the number of indirect control flow transfers and therefore limits jump-oriented attacks. This approach implements a secure platform for privileged applications and applications reachable over the network that anticipates and confines security threats from the beginning.
For performance and for incorporating legacy libraries, many Java applications contain native-code components written in unsafe languages such as C and C++. Native-code components interoperate with Java components thr...
详细信息
For performance and for incorporating legacy libraries, many Java applications contain native-code components written in unsafe languages such as C and C++. Native-code components interoperate with Java components through the Java Native Interface (JNI). As native code is not regulated by Java's security model, it poses serious security threats to the managed Java world. We introduce a security framework that extends Java's security model and brings native code under control. Leveraging software-based fault isolation, the framework puts native code in a separate sandbox and allows the interaction between the native world and the Java world only through a carefully designed pathway. Two different implementations were built. In one implementation, the security framework is integrated into a Java Virtual Machine (JVM). In the second implementation, the framework is built outside of the JVM and takes advantage of JVM-independent interfaces. The second implementation provides JVM portability, at the expense of some performance degradation. Evaluation of our framework demonstrates that it incurs modest runtime overhead while significantly enhancing the security of Java applications.
暂无评论