Summary
Ghostbuster is a research program to stop advanced “transient execution attacks”, which by themselves already rank among the most advanced attacks ever—by finding vulnerable code fragments, analyzing them for exploitability, and injecting mitigations where needed. The vulnerabilities such as Spectre, Meltdown and others originate in vulnerable hardware and allow data leakage across all security boundaries. Recently, my team and I showed that even more advanced attacks exist by combining transient execution with traditional software exploitation. Today, we have no way of even detecting these hybrid attacks, let alone stop them. While we keep finding new variants, vendors have indicated that they cannot fix them all, as it would cripple performance. The hope is that developers identify and harden vulnerable code snippets (e.g., with instructions that stop transient execution). Unfortunately, finding vulnerable snippets is hard, beyond the abilities of top programmers, and even more so for the new hybrid attacks. Can it be done automatically?
The challenge is daunting and involves all interaction between the code and a myriad of obscure CPU resources, requiring expertise in hardware, operating systems, fuzzing, program analysis, etc. State-of-the-art (and limited) tools do not even aim for mitigation and simply report potential issues—with many false positives and negatives.
Unlike existing solutions that detect the snippets through pattern matching, Ghostbuster takes a principled approach and considers the fundamental conditions enabling attacks—without resorting to, say, symbolic execution, which scales poorly to large programs. It models the fundamental conditions of (steps of) an attack in terms of control + dataflow properties and translates the models into detectors. After detecting the code that looks vulnerable, it runs additional (possibly heavy-weight) exploitability analysis and, if need be, mitigates the issue by removing some of the enabling conditions
The challenge is daunting and involves all interaction between the code and a myriad of obscure CPU resources, requiring expertise in hardware, operating systems, fuzzing, program analysis, etc. State-of-the-art (and limited) tools do not even aim for mitigation and simply report potential issues—with many false positives and negatives.
Unlike existing solutions that detect the snippets through pattern matching, Ghostbuster takes a principled approach and considers the fundamental conditions enabling attacks—without resorting to, say, symbolic execution, which scales poorly to large programs. It models the fundamental conditions of (steps of) an attack in terms of control + dataflow properties and translates the models into detectors. After detecting the code that looks vulnerable, it runs additional (possibly heavy-weight) exploitability analysis and, if need be, mitigates the issue by removing some of the enabling conditions
Unfold all
/
Fold all
More information & hyperlinks
| Web resources: | https://cordis.europa.eu/project/id/101141972 |
| Start date: | 01-01-2025 |
| End date: | 31-12-2029 |
| Total budget - Public funding: | 2 499 995,00 Euro - 2 499 995,00 Euro |
Cordis data
Original description
Ghostbuster is a research program to stop advanced “transient execution attacks”, which by themselves already rank among the most advanced attacks ever—by finding vulnerable code fragments, analyzing them for exploitability, and injecting mitigations where needed. The vulnerabilities such as Spectre, Meltdown and others originate in vulnerable hardware and allow data leakage across all security boundaries. Recently, my team and I showed that even more advanced attacks exist by combining transient execution with traditional software exploitation. Today, we have no way of even detecting these hybrid attacks, let alone stop them. While we keep finding new variants, vendors have indicated that they cannot fix them all, as it would cripple performance. The hope is that developers identify and harden vulnerable code snippets (e.g., with instructions that stop transient execution). Unfortunately, finding vulnerable snippets is hard, beyond the abilities of top programmers, and even more so for the new hybrid attacks. Can it be done automatically?The challenge is daunting and involves all interaction between the code and a myriad of obscure CPU resources, requiring expertise in hardware, operating systems, fuzzing, program analysis, etc. State-of-the-art (and limited) tools do not even aim for mitigation and simply report potential issues—with many false positives and negatives.
Unlike existing solutions that detect the snippets through pattern matching, Ghostbuster takes a principled approach and considers the fundamental conditions enabling attacks—without resorting to, say, symbolic execution, which scales poorly to large programs. It models the fundamental conditions of (steps of) an attack in terms of control + dataflow properties and translates the models into detectors. After detecting the code that looks vulnerable, it runs additional (possibly heavy-weight) exploitability analysis and, if need be, mitigates the issue by removing some of the enabling conditions
Status
SIGNEDCall topic
ERC-2023-ADGUpdate Date
22-11-2024
Images
No images available.
Geographical location(s)
