Cyber Attacks against government agencies, financial institutions, health care providers, and companies of all sizes have become more prevalent and devastating over the past decade. Researchers at UT Dallas have been actively researching ways to combat cyber attacks. This past January, the research of Dr. Kevin Hamlen, a professor in the UT Dallas Computer Science department and a Senior Technical Advisor of UT Dallas’s Cyber Security Research and Education Institute, titled “Protecting against State of the Art Cyber Attacks through Opaque Control-Flow Integrity (O-CFI),” was selected to be published in the 2016 National Science Foundation (NSF) Industry & University Cooperative Research Center (I/UCRC) Tech Breakthrough Compendium.
The compendium catalogues technological breakthroughs and advances that industry representatives believe are attributable to specific Industry & University Cooperative Research Centers (I/UCRCs). An I/UCRC-attributable technological advance or breakthrough is defined as center-related research that either directly or indirectly led to, or likely will lead to, significant process improvements, new processes or techniques, new/improved products or services, and/or economic benefits such as cost savings, increased profits and/or job growth for the sponsor, the industrial sector, and/or the nation’s economy. The Compendium, to be published in a printed book and online, is intended for Congressional and White House staffers and visitors to the NSF, along with the general public to aid in understanding the great impact of research taking place at I/UCRCs. Vishwath Mohan (UT Dallas, and lead author), Per Larsen (University of California at Irvine), Stefan Brunthaler (UC Irvine), Kevin W. Hamlen (UT Dallas, and lead supervisor for this project), and Michael Franz (UC Irvine, and co-supervisor of the project), served as co-authors on the publication of O-CFI research.
Dr. Kevin Hamlen explained the one of the many benefits of having the research published in the compendium saying, “One of the benefits of being published in the compendium is that it brings greater awareness of our research. It is extremely difficult to defend against IACR attacks, and many experts remain unaware that there is any practical defense.” He also notes, “This publicity helps us get the word out about our new, exceptionally powerful defense, and the broader methodology of consumer-side software security hardening.”
The project, which is a collaboration between Dr. Kevin Hamlen, his UT Dallas Research team, and Dr. Michael Franz’s research team at UC Irvine, introduces Opaque Control- Flow Integrity (O-CFI), which is the first software security defense that merges binary software randomization with CFI to defeat one of the latest cyber security threats: implementation-aware code-reuse (IACR) attacks. IACR attacks commandeer software by first exfiltrating in-memory code details of a victim’s program and then exploiting those details to corrupt the victim’s program control-flow paths.
In a laboratory research setting, IACR attacks have been successfully used to break several state-of-the-art software defense systems by a number of research teams, including teams at UNC Chapel Hill, CASED/Technische Universitat Darmstadt (Germany), and Stanford University. Outside of a laboratory research setting, IACR attacks are undoubtedly active, but they are hard to document because the “implementation-aware” (IA) part of the attack is not always visible to victims.
O-CFI defeats IACR attacks by randomizing the policy approximation enforced by CFI in such a way that the secret approximation is confined to a protected data region of the software, not its code. This means that even if an IACR attack leaks the complete binary code, stack, and heap memory of the victim program to the attacker, this is still not enough information for the attacker to reliably determine how the software’s control-flows can be safely corrupted without raising an alarm. O-CFI protections can be applied to secure software either at compile-time or to the already-compiled binary code. This makes the approach extremely flexible.
O-CFI can be applied to protect most binary software products that are potential victims of control-flow hijacking attacks. This includes web ecommerce systems, military systems, online database systems (e.g. healthcare information databases), industrial control systems, and other computing infrastructures requiring high assurance.
Dr. Kevin Hamlen and his team’s research involves the invention of algorithms that can automatically transform commodity software products to add more security after the products have already been developed and sold. This technique allows consumers to harden their software against emerging security threats, as well as customize the security in order to meet specific threats to their particular organization without needing to have the developer change the design in their program or release a new product.
“Our goal for this research is to eventually be able to scale our technique to change how software is developed, maintained, and secured worldwide,” notes Dr. Hamlen. The project is related to Dr. Hamlen’s earlier project called Frankenstein, a “reactively adapative Malware” research project, which made headlines in 2012 (see here, here, and here). The technology in Frankenstein was utilized in two different ways in the project: (1) Many of the software transformation algorithms that Frankenstein used for cyber offense was repurposed in O-CFI for cyber defense. (2) Project researchers tested the security of O-CFI by attacking it with Frankenstein, the most powerful attack that was at Dr. Hamlen’s disposal. O-CFI successfully blocked the attacks made by Frankenstein, making it the first time the research team had found a technology that can potentially block an attack of that sophistication.
A $500k NSF CAREER award (2011), United States Air Force Office of Scientific Research (AFOSR) award, and grant from Raytheon Company through UT Dallas CS professor Dr. Farokh Bastani’s NSF Net-Centric & Cloud Software & Systems (NCSS) I/UCRC, supported the research done at UT Dallas. The research done at University of California at Irvine was supported by two Defense Advanced Research Projects Agency (DARPA) contracts, and gifts from Mozilla Corporation and Oracle Corporation. Due to the technologic breakthrough of research, industry sponsor, Raytheon Company, nominated the project for the award, resulting in the NSF selecting the project for publication in the 2016 NSF I/UCRC Technology Breakthrough Compendium.
About the UT Dallas Computer Science Department
The UT Dallas Computer Science program is one of the largest Computer Science departments in the United States with over 1,600 bachelor’s-degree students, more than 1,100 master’s students, 160 PhD students, and 80 faculty members, as of Fall 2015. With The University of Texas at Dallas’ unique history of starting as a graduate institution first, the CS Department is built on a legacy of valuing innovative research and providing advanced training for software engineers and computer scientists.