Dottore di ricerca

ciclo: XXXV

supervisore: Camil Demetrescu

Titolo della tesi: Taming Complex Bugs in Secure Systems

Modern systems rely on several layers of abstraction to implement their expected functionality. Securing complex systems is extremely difficult, as any abstraction layer can be a possible target. While defense-in-depth techniques help, attackers resort to chaining multiple exploits to break the different protection layers. Thus, malicious actors increase their attack complexity to exploit even the most secure systems. Vulnerabilities may hide in each layer of a modern system. Software applications are often the initial attack target, as they are usually exposed to the external world. Once a malicious actor can exploit a software application, it usually moves to increase their privilege, targetting other running applications or the operating system to exfiltrate data or achieve persistence. From a compromised operating system, an attacker may even target hypervisors and CPU enclaves aimed at protection against privileged attackers. Several techniques attempt to slow down attackers, make bugs hard to find, or, better, find and fix bugs in the first place. Obfuscation techniques complicate the software under analysis, slowing down program understanding from external actors. Automatic software testing aims to find bugs during development to avoid possible vulnerabilities in production systems. Enclaves protect software from a compromised operating system but require CPUs to support them correctly. However, given enough time, attackers can often break each protection layer by combining several complex vulnerabilities to take control of an entire secure system. Thus, a comprehensive approach needs to tackle vulnerabilities across several system layers to increase the attack complexity required to break modern systems. This thesis examines and enhances the security of multiple layers of modern systems. We design, implement and evaluate techniques to find and mitigate complex vulnerabilities across most of the layers of secure systems. Throughout the thesis, we build solutions by sequentially breaking assumptions on attacker capabilities. To slow down attackers, we propose techniques to obfuscate software against reverse engineering efficiently. To secure software and operating systems, we improve existing dynamic testing techniques to find vulnerabilities at a scale and introduce new strategies to find novel bug patterns. We design compilation frameworks to protect software from subtle bugs, from type confusion to CPU side-channel bugs. To deepen the understanding of the threats of privileged attackers, we systematize hardware bug classes, comparing architectural and microarchitectural vulnerabilities to software ones. In doing so, we discover the first architectural CPU bug that leaks confidential data without side channels. Finally, we propose the first CPU framework to inspect and customize modern CPU microcode, offering an unprecedented view of the inner working of current systems. As a byproduct of our research, we find, report, and mitigate over one hundred vulnerabilities across most modern system layers, including application software, operating systems, and CPUs. All the prototypes proposed in this thesis are open-sourced to foster future security research.

Produzione scientifica

11573/1686965 - 2023 - Uncontained: Uncovering Container Confusion in the Linux Kernel
Koschel, Jakob; Borrello, Pietro; D'elia, Daniele Cono; Bos, Herbert; Giuffrida, Cristiano - 04b Atto di convegno in volume
congresso: 32nd USENIX Security Symposium (USENIX Security 23) (Anaheim; United States)
libro: Proceedings of the 32nd USENIX Security Symposium - (978-1-939133-37-3)

11573/1657457 - 2022 - ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture
Borrello, Pietro; Kogler, Andreas; Schwarzl, Martin; Lipp, Moritz; Gruss, Daniel; Schwarz, Michael - 04b Atto di convegno in volume
congresso: 31st USENIX Security Symposium (USENIX Security 22) (Boston; USA)
libro: 31st USENIX Security Symposium (USENIX Security 22) - (978-1-939133-31-1)

11573/1657458 - 2022 - Robust and Scalable Process Isolation Against Spectre in the Cloud
Schwarzl, Martin; Borrello, Pietro; Kogler, Andreas; Varda, Kenton; Schuster, Thomas; Schwarz, Michael; Gruss, Daniel - 04b Atto di convegno in volume
congresso: ESORICS 2022: Computer Security (Copenhagen; Denmark)
libro: ESORICS 2022: Computer Security - (978-3-031-17145-1; 978-3-031-17146-8)

11573/1603661 - 2021 - Constantine: Automatic Side-Channel Resistance Using Efficient Control and Data Flow Linearization
Borrello, P.; D'elia, D. C.; Querzoni, L.; Giuffrida, C. - 04b Atto di convegno in volume
congresso: 27th ACM Annual Conference on Computer and Communication Security, CCS 2021 (Virtual Event)
libro: Proceedings of the ACM Conference on Computer and Communications Security - (9781450384544)

11573/1557526 - 2021 - Hiding in the Particles: When Return-Oriented Programming Meets Program Obfuscation
Borrello, Pietro; Coppa, Emilio; D'elia, Daniele Cono - 04b Atto di convegno in volume
congresso: 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (Virtual Event)
libro: 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) - (978-166543572-7)

11573/1282932 - 2019 - The ROP needle: Hiding trigger-based injection vectors via code reuse
Borrello, P.; Coppa, E.; D'elia, D. C.; Demetrescu, C. - 04b Atto di convegno in volume
congresso: 34th Annual ACM Symposium on Applied Computing, SAC 2019 (Limassol; Cyprus)
libro: SAC '19 Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing - (9781450359337)

11573/1282978 - 2018 - ROPMate: Visually Assisting the Creation of ROP-based Exploits
Angelini, Marco; Blasilli, Graziano; Borrello, Pietro; Coppa, Emilio; D'elia, Daniele Cono; Ferracci, Serena; Lenti, Simone; Santucci, Giuseppe - 04b Atto di convegno in volume
congresso: 15th IEEE Symposium on Visualization for Cyber Security (Berlin; Germany)
libro: 2018 IEEE Symposium on Visualization for Cyber Security (VizSec) - (978-153868194-7)

© Università degli Studi di Roma "La Sapienza" - Piazzale Aldo Moro 5, 00185 Roma