Software trace cache

We explore the use of compiler optimizations, which optimize the layout of instructions in memory. The target is to enable the code to make better use of the underlying hardware resources regardless of the specific details of the processor/architecture in order to increase fetch performance. The Software Trace Cache (STC) is a code layout algorithm with a broader target than previous layout optimizations. We target not only an improvement in the instruction cache hit rate, but also an increase in the effective fetch width of the fetch engine. The STC algorithm organizes basic blocks into chains trying to make sequentially executed basic blocks reside in consecutive memory positions, then maps the basic block chains in memory to minimize conflict misses in the important sections of the program. We evaluate and analyze in detail the impact of the STC, and code layout optimizations in general, on the three main aspects of fetch performance; the instruction cache hit rate, the effective fetch width, and the branch prediction accuracy. Our results show that layout optimized, codes have some special characteristics that make them more amenable for high-performance instruction fetch. They have a very high rate of not-taken branches and execute long chains of sequential instructions; also, they make very effective use of instruction cache lines, mapping only useful instructions which will execute close in time, increasing both spatial and temporal locality.Peer ReviewedPostprint (published version

Out Of Control: Overcoming Control-Flow Integrity

As existing defenses like ASLR, DEP, and stack cookies are not sufficient to stop determined attackers from exploiting our software, interest in Control Flow Integrity (CFI) is growing. In its ideal form, CFI prevents flows of control that were not intended by the original program, effectively putting a stop to exploitation based on return oriented programming (and many other attacks besides). Two main problems have prevented CFI from being deployed in practice. First, many CFI implementations require source code or debug information that is typically not available for commercial software. Second, in its ideal form, the technique is very expensive. It is for this reason that current research efforts focus on making CFI fast and practical. Specifically, much of the work on practical CFI is applicable to binaries, and improves performance by enforcing a looser notion of control flow integrity. In this paper, we examine the security implications of such looser notions of CFI: are they still able to prevent code reuse attacks, and if not, how hard is it to bypass its protection? Specifically, we show that with two new types of gadgets, return oriented programming is still possible. We assess the availability of our gadget sets, and demonstrate the practicality of these results with a practical exploit against Internet Explorer that bypasses modern CFI implementations

Execution Integrity with In-Place Encryption

Instruction set randomization (ISR) was initially proposed with the main goal of countering code-injection attacks. However, ISR seems to have lost its appeal since code-injection attacks became less attractive because protection mechanisms such as data execution prevention (DEP) as well as code-reuse attacks became more prevalent. In this paper, we show that ISR can be extended to also protect against code-reuse attacks while at the same time offering security guarantees similar to those of software diversity, control-flow integrity, and information hiding. We present Scylla, a scheme that deploys a new technique for in-place code encryption to hide the code layout of a randomized binary, and restricts the control flow to a benign execution path. This allows us to i) implicitly restrict control-flow targets to basic block entries without requiring the extraction of a control-flow graph, ii) achieve execution integrity within legitimate basic blocks, and iii) hide the underlying code layout under malicious read access to the program. Our analysis demonstrates that Scylla is capable of preventing state-of-the-art attacks such as just-in-time return-oriented programming (JIT-ROP) and crash-resistant oriented programming (CROP). We extensively evaluate our prototype implementation of Scylla and show feasible performance overhead. We also provide details on how this overhead can be significantly reduced with dedicated hardware support

Gradually Transitioning to a New Taxonomy: Thinning, Shaping, and Fading

Currently, there is a large body of work in the basic and applied literature about schedule thinning and the underlying concepts associated with these procedures. However, some of the terminology used in this research area (e.g., shaping, fading, and thinning) has been applied inconsistently, suggesting that researchers and practitioners might misunderstand these terms. In this paper, I will discuss the unsystematic use of terminology found in the literature describing schedule thinning procedures, as well as other gradual change procedures, more generally. Additionally, I will propose a new taxonomy of gradual behavior change procedures in the hope of creating a more systematic use of the terminology

Técnicas para emulação de saltos indiretos em máquinas virtuais

Orientador: Edson BorinDissertação (mestrado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Tradução dinâmica de binários é uma técnica de emulação comumente utilizada na implementação de máquinas virtuais. Neste contexto, a emulação de saltos indiretos é uma das principais fontes de perda de eficiência, o que atrapalha a aplicabilidade de tradutores dinâmicos de binários. Essa dissertação descreve diversas técnicas que tentam melhorar o desempenho e a eficiência da emulação de saltos indiretos em máquinas virtuais eficientes. O DynamoRIO é uma máquina virtual que se enquadra nessa categoria e que utiliza características de diversas dessas técnicas. Nessa dissertação, nós apresentamos a implementação atual do DynamoRIO, modificamos seu código para incluir duas novas técnicas de emulação de saltos indiretos (Inline Caching e IBTC) e as comparamos com outras técnicas descritas na literaturaAbstract: Dynamic binary translation is an emulation technique commonly employed in the implementation of virtual machines. One of the main sources of overhead that hinder the applicability of dynamic binary translators is that caused by the emulation of indirect branch instructions. This master thesis describes several techniques that try to improve the performance and efficiency of indirect branch emulation in efficient virtual machines. DynamoRIO is one of such machines and it implements features used by several of those techniques. In this master thesis, we present current implementations of DynamoRIO, modify its code to include two new techniques (Inline Caching and IBTC) and compare it with other techniques described in the literatureMestradoCiência da ComputaçãoMestre em Ciência da Computaçã

Nonidentity Matching-to-Sample with Retarded Adolescents: Stimulus Equivalences and Sample-Comparison Control

In Experiment 1, four subjects were trained to match two visual samples (A) and their respective nonidentical visual comparisons (B); i.e., A-B matching. During nonreinforced test trials, all subjects demonstrated stimulus equivalences within the context of sample-comparison reversibility (B-A matching): When B stimuli were used as samples, appropriate responding to A comparisons occurred. A-B and B-A matching persisted given novel stimuli as alternate comparisons. However, the novel comparisons were consistently selected in the presence of nonmatching stimuli: i.e., during trials comprised of a novel comparison, an A or B sample from one stimulus class, and an incorrect comparison from the other, B or A stimuli respectively. In Experiment 2, three groups of subjects were trained under three different mediated transfer paradigms (e.g., A-B, C-B matching). Tests for reversibility (e.g., B0A, B0C matching) and mediated transfer (e.g., A-C, C-A matching)evinced stimulus equivalences for 11 of 12 subjects. The 11 subjects also matched the mediated equivalences given novel comparisons; whereas, they selected the novel comparisons when combined with nonmatching stimuli. Overall, the demonstrated stimulus equivalences favor a concept learning interpretation of non-identity matching-to-sample. Additionally, the trained and mediated matching relations were comprised of complementary sets of S+ and S- rules: Any stimulus of a given class used as a sample designated both the correct and incorrect comparisons