Security Talk: Poking Low-level Code

Mathias PAYER - Security researcher and an assistant professor at the EPFL school
Digital Security

Date: September 19th 2019
Location: Eurecom - Eurecom

Abstract: In an eternal war in memory, state corruption plagues systems since the dawn of computing. Despite the rise of strong mitigations such as stack cookies, ASLR, DEP, or most recently Control-Flow Integrity, exploits are still prevalent as none of these defenses offers complete protection. This situation calls for program testing techniques that discover reachable vulnerabilities before the attacker. Finding and fixing bugs is the only way to protect against all exploitation. We develop fuzzing techniques that follow an adversarial approach, focusing on the exposed attack surface and exploring potentially reachable vulnerabilities. In this talk we will discuss two aspects of fuzzing hard to reach code: (i) learning what code is exposed to attacker-controlled input and (ii) testing drivers that interact with exposed peripherals. First, we assess the threat surface by characterizing the potential computational power that a vulnerability gives. In a multi-step process we follow the flow of information an synthesize potential attacker payloads to learn how exposed certain code sequences are. Second, by providing a custom-tailored emulation environment we create mock Trojan devices that allow fuzzing the peripheral/driver interface. In these projects we develop new techniques to test different kinds of hard to reach code and exposed large amounts of vulnerabilities. Bio: Mathias Payer is a security researcher and an assistant professor at the EPFL school of computer and communication sciences (IC), leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption and type violations. He is interested in software security, system security, binary exploitation, effective mitigations, fault isolation/privilege separation, strong sanitization, and software testing (fuzzing) using a combination of binary analysis and compiler-based techniques. After 4 years at Purdue university, he joined EPFL in 2018. Before joining Purdue in 2014 he spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012, focusing on enforcing security policies through low-level binary translation. All prototype implementations are open-source. He co-founded the EPFL polygl0t and Purdue b01lers CTF teams.

Permalink: https://www.eurecom/seminar/90897