vArmor: Identifying and Guarding Security-Critical Data in COTS Applications

vArmor: Identifying and Guarding Security-Critical Data in COTS Applications

Award Information
Agency: Department of Defense
Branch: Defense Advanced Research Projects Agency
Contract: 140D6318C0080
Agency Tracking Number: D173-003-0041
Amount: $149,496.80
Phase: Phase I
Program: SBIR
Awards Year: 2018
Solicitation Year: 2017
Solicitation Topic Code: SB173-003
Solicitation Number: 2017.3
Small Business Information
104 S. Estes Dr., Chapel Hill, NC, 27514
DUNS: 080078085
HUBZone Owned: N
Woman Owned: N
Socially and Economically Disadvantaged: N
Principal Investigator
 Kevin Valakuzhy
 (704) 936-6721
 kvalakuzhy@zeropointdynamics.com
Business Contact
 Kevin Snow
Phone: (919) 458-8002
Email: kevin@zeropointdynamics.com
Research Institution
N/A
Abstract
Over a decade ago, security practitioners highlighted threats posed by memory corruption exploits subverting systems through manipulation of security-critical non-control-datawithout ever corrupting application control-flow. Since that demonstration, however, the full power of data-oriented attacks went largely unnoticed until very recently. One reason for this recent emergence is that exploitation of critical software (e.g., browsers, document-viewers, webservers) is getting harder due to widespread deployment of mitigations such as Data-Execution Prevention (DEP), Address-Space Layout Randomization (ASLR) and Control-Flow Integrity (CFI). Exploitation in face of DEP forces adversaries to rely on finding clever ways to chain together small instruction snippets (gadgets) to implement malicious logic, while bypassing ASLR requires disclosure of memory to identify those gadgets. With the deployment of CFI (e.g., CFGuard) in modern systems, however, sequencing gadgets is increasingly difficult. Not surprisingly, attacks simply evolved to instead make better use of memory disclosures (and modifications) by leaking security-sensitive data (e.g. HeartBleed) or modifying security-critical data (e.g., disabling DEP or browser same-origin policies). This trend will only get worse if strong protections are not put in place for guarding data in commodity closed-source software. We propose using recent advances in binary analysis to adapt source-based sandboxing to closed-source applications.

* Information listed above is at the time of submission. *

Agency Micro-sites

SBA logo
Department of Agriculture logo
Department of Commerce logo
Department of Defense logo
Department of Education logo
Department of Energy logo
Department of Health and Human Services logo
Department of Homeland Security logo
Department of Transportation logo
Environmental Protection Agency logo
National Aeronautics and Space Administration logo
National Science Foundation logo
US Flag An Official Website of the United States Government