CSE Lecturer Candidate Seminar #3

CSE Lecturer Candidate Seminar
Control-Flow Security

The software attack surface provides many avenues for hijacking; however, many exploits ultimately rely on the successful execution of a control-flow attack. These attacks persist because the root of the problem remains: runtime data is allowed to enter the program counter. In this talk, I will begin with a brief lesson on the relevant topic of pointers, with a preface on effective teaching. I will then provide a concise overview of control-flow security and contemporary control-flow attacks. While many approaches to these attacks rely on Control-Flow Graph (CFG) edge checking and labeling, these techniques remain vulnerable to attacks such as heap spray, read, or GOT attacks, and in some cases suffer high overheads. I will detail approaches to ensuring the programmer-intended CFG of an application at runtime. Contemporary efforts in ensuring the integrity of control-flow employ layering additional complexity in an effort to shield software from attack, retaining the mechanisms by which control-flow attacks are accomplished. In contrast, subtracting these mechanisms removes the vulnerability, effectively isolating control from user data. Finally, I will briefly discuss how to eliminate barriers to the adoption of this control-data isolation through architectural support, with memoization of compiler-confirmed control-flow transitions.
William Arthur is a PhD Candidate at the University of Michigan "“ Ann Arbor. His research interests center on secure computing, focused on the role of control-flow, leveraging compiler and architectural support to eliminate vulnerabilities. Coming from the Automotive industry, he began teaching and mentoring for an Apprenticeship program while at Ford Motor Company. While at the University of Michigan, William has taught as both Graduate Student Instructor and primary instructor for courses including Introduction to Computer Organization and Elementary Programming Concepts. Participating in a partnership between Michigan and Addis Ababa Institute of Technology in Ethiopia, he taught a course on Fault-Tolerant Computing to their PhD cohort during the summer of 2015. An active participant in the Center for Research on Learning and Teaching (CRLT), William has served as teaching consultant and orientation facilitator for student instructors as well as leading seminars on teaching in Engineering.