Securing Systems by Vulnerability Mitigation and Adaptive Live Patching

• Other Authors: Chen, Yue (author)
• Format: Others
• Language: English; English
• Published: Florida State University
• Subjects: Computer science
• Online Access: http://purl.flvc.org/fsu/fd/2018_Sp_Chen_fsu_0071E_14297

The number and type of digital devices are increasing tremendously in today's world. However, as the code size soars, the hidden vulnerabilities become a major threat to user security and privacy. Vulnerability mitigation, detection, and patch generation are key protection mechanisms against attacks and exploits. In this dissertation, we first explore the limitations of existing solutions. For vulnerability mitigation, in particular, currently deployed address space layout randomization (ASLR) has the drawbacks that the process is randomized only once, and the segment is moved as a whole. This design makes the program particularly vulnerable to information leaks. For vulnerability detection, many existing solutions can only detect the symptoms of attacks, instead of locating the underlying exploited vulnerabilities, since the manifestation of an attack does not always coincide with the exploited vulnerabilities. For patch generation towards a large number of different devices, current schemes fail to meet the requirements of timeliness and adaptiveness. To tackle the limitations of existing solutions, this dissertation introduces the design and implementation of three countermeasures. First, we present Remix, an effective and efficient on-demand live randomization system, which randomizes basic blocks of each function during runtime to provide higher entropy and stronger protection against code reuse attacks. Second, we propose Ravel, an architectural approach to pinpointing vulnerabilities from attacks. It leverages a record & replay mechanism to reproduce attacks in the lab environment, and uses the program's memory access patterns to locate targeted vulnerabilities which can be a variety of types. Lastly, we present KARMA, a multi-level live patching framework for Android kernels with minor performance overhead. The patches are written in a high-level memory-safe language, with the capability to be adapted to thousands of different Android kernels. === A Dissertation submitted to the Department of Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy. === Spring Semester 2018. === January 23, 2018. === Android, ASLR, Patch, Randomization, System Security, Vulnerability === Includes bibliographical references. === Zhi Wang, Professor Directing Dissertation; Ming Yu, University Representative; Xiuwen Liu, Committee Member; An-I Andy Wang, Committee Member.