Title: Control-Flow Attacks and Mitigations
Speaker: Dr. Ziming Zhao
Date: 4 Sep. 2023 (Monday)
Time: 8:55 a.m. - 12:00 a.m.
腾讯会议:915-8943-7178
Inviter: Dr. Guyue Li
主办单位:东南大学网络空间安全学院
承办单位:江苏省网络空间安全学会
Abstract:
Networked embedded and Internet of Things (IoT) systems are essential to everyday life and are predicted to reach 1 trillion by 2035. It is, however, difficult to secure these systems due to software issues and hardware constraints. On the software front, these systems are usually written in low-level languages, e.g., C, whose lack of safety allows attackers to exploit memory corruption bugs to hijack the control flow. On the hardware front, many embedded and IoT systems do not have some of the hardware units we take for granted on personal and cloud computing architectures. For example, the Arm Cortex-M microcontrollers do not have a Memory Management Unit (MMU), without which applications share the same physical address space, making it difficult to enforce isolation or to implement for control-flow hijacking mitigation.
In this talk, Dr. Zhao will discuss two of their recent publications on control-flow attacks and mitigations. The first publication was presented at ACM/IEEE Design Automation Conference (DAC'23). In this work, he will discuss a new class of attacks known as return-to-non-secure attacks on ARM Cortex-M microcontrollers and their mitigation strategies. The second publication will be presented at ACM Conference on Computer and Communications Security (CCS'23). In this research, he presents SHERLOC, a novel mechanism that not only monitors the forward and backward edges of unprivileged and privileged programs but also the control-flow transfers among unprivileged and privileged components.
Bio:
Ziming Zhao is an Assistant Professor at the Department of Computer Science and Engineering (CSE) and the director of the CyberspACe securiTy and forensIcs lab (CactiLab), . His current research interests include system and software security, trusted execution environment, formal methods for security, and usable security. He is a recipient of a National Science Foundation CAREER award and an NSF CRII award. His research outcomes have appeared in IEEE Security and Privacy, USENIX Security, ACM CCS, NDSS, ACM MobiSys, ACM/IEEE DAC, ACM TISSEC/TOPS, IEEE TDSC, IEEE TIFS, and more. His contributions have been recognized with best/distinguished paper awards from USENIX Security 2019, ACM AsiaCCS 2022, ACM CODASPY 2014, and ITU Kaleidoscope 2016. He earned his bachelor's and master's degrees from Beijing University of Posts and Telecommunications. He obtained his Ph.D. degree in Computer Science from Arizona State University, Tempe, AZ, in 2014.