TY - JOUR
T1 - Software-driven security attacks
T2 - From vulnerability sources to durable hardware defenses
AU - Biernacki, Lauren
AU - Gallagher, Mark
AU - Xu, Zhixing
AU - Aga, Misiker Tadesse
AU - Harris, Austin
AU - Wei, Shijia
AU - Tiwari, Mohit
AU - Kasikci, Baris
AU - Malik, Sharad
AU - Austin, Todd
N1 - Publisher Copyright:
© 2021 Association for Computing Machinery.
PY - 2021/7
Y1 - 2021/7
N2 - There is an increasing body of work in the area of hardware defenses for software-driven security attacks. A significant challenge in developing these defenses is that the space of security vulnerabilities and exploits is large and not fully understood. This results in specific point defenses that aim to patch particular vulnerabilities. While these defenses are valuable, they are often blindsided by fresh attacks that exploit new vulnerabilities. This article aims to address this issue by suggesting ways to make future defenses more durable based on an organization of security vulnerabilities as they arise throughout the program life cycle. We classify these vulnerability sources through programming, compilation, and hardware realization, and we show how each source introduces unintended states and transitions into the implementation. Further, we show how security exploits gain control by moving the implementation to an unintended state using knowledge of these sources and how defenses work to prevent these transitions. This framework of analyzing vulnerability sources, exploits, and defenses provides insights into developing durable defenses that could defend against broader categories of exploits. We present illustrative case studies of four important attack genealogies - showing how they fit into the presented framework and how the sophistication of the exploits and defenses have evolved over time, providing us insights for the future.
AB - There is an increasing body of work in the area of hardware defenses for software-driven security attacks. A significant challenge in developing these defenses is that the space of security vulnerabilities and exploits is large and not fully understood. This results in specific point defenses that aim to patch particular vulnerabilities. While these defenses are valuable, they are often blindsided by fresh attacks that exploit new vulnerabilities. This article aims to address this issue by suggesting ways to make future defenses more durable based on an organization of security vulnerabilities as they arise throughout the program life cycle. We classify these vulnerability sources through programming, compilation, and hardware realization, and we show how each source introduces unintended states and transitions into the implementation. Further, we show how security exploits gain control by moving the implementation to an unintended state using knowledge of these sources and how defenses work to prevent these transitions. This framework of analyzing vulnerability sources, exploits, and defenses provides insights into developing durable defenses that could defend against broader categories of exploits. We present illustrative case studies of four important attack genealogies - showing how they fit into the presented framework and how the sophistication of the exploits and defenses have evolved over time, providing us insights for the future.
KW - Implementation information
KW - Security attacks and defenses
KW - Taxonomy
KW - Undefined semantics
KW - Vulnerabilities
UR - http://www.scopus.com/inward/record.url?scp=85122640740&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85122640740&partnerID=8YFLogxK
U2 - 10.1145/3456299
DO - 10.1145/3456299
M3 - Article
AN - SCOPUS:85122640740
SN - 1550-4832
VL - 17
JO - ACM Journal on Emerging Technologies in Computing Systems
JF - ACM Journal on Emerging Technologies in Computing Systems
IS - 3
M1 - 3456299
ER -