The merger boom: an overview

Consolidation and merger of corporations ; Corporations ; Public policy

Lockdown: Dynamic Control-Flow Integrity

Applications written in low-level languages without type or memory safety are especially prone to memory corruption. Attackers gain code execution capabilities through such applications despite all currently deployed defenses by exploiting memory corruption vulnerabilities. Control-Flow Integrity (CFI) is a promising defense mechanism that restricts open control-flow transfers to a static set of well-known locations. We present Lockdown, an approach to dynamic CFI that protects legacy, binary-only executables and libraries. Lockdown adaptively learns the control-flow graph of a running process using information from a trusted dynamic loader. The sandbox component of Lockdown restricts interactions between different shared objects to imported and exported functions by enforcing fine-grained CFI checks. Our prototype implementation shows that dynamic CFI results in low performance overhead.Comment: ETH Technical Repor

HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement

Widespread use of memory unsafe programming languages (e.g., C and C++) leaves many systems vulnerable to memory corruption attacks. A variety of defenses have been proposed to mitigate attacks that exploit memory errors to hijack the control flow of the code at run-time, e.g., (fine-grained) randomization or Control Flow Integrity. However, recent work on data-oriented programming (DOP) demonstrated highly expressive (Turing-complete) attacks, even in the presence of these state-of-the-art defenses. Although multiple real-world DOP attacks have been demonstrated, no efficient defenses are yet available. We propose run-time scope enforcement (RSE), a novel approach designed to efficiently mitigate all currently known DOP attacks by enforcing compile-time memory safety constraints (e.g., variable visibility rules) at run-time. We present HardScope, a proof-of-concept implementation of hardware-assisted RSE for the new RISC-V open instruction set architecture. We discuss our systematic empirical evaluation of HardScope which demonstrates that it can mitigate all currently known DOP attacks, and has a real-world performance overhead of 3.2% in embedded benchmarks

State and Local Anti-Predatory Lending Laws: The Effect of Legal Enforcement Mechanisms

Subprime mortgage lending has grown rapidly in recent years and with it, so have concerns about predatory lending. In response to evidence of predatory lending, most states have enacted new laws or expanded existing laws to address abuses in the subprime home loan market. The effect of these statutes is a matter of debate. This paper seeks to improve the understanding of this increasingly important issue and pays particular attention to the role that legal enforcement mechanisms play in this context. The results of the analysis are consistent with the view that anti-predatory lending laws influence subprime lending markets and that disaggregating the details of the overall legal framework into its component parts is essential for understanding subprime market dynamics. The restrictions, coverage, and enforcement components all have significant relationships with subprime market outcomes, with the coverage relationship found to be broadly consistent with the reverse lemons hypothesis put forward by Ho and Pennington-Cross (2007). The results also suggest that the newer mini-HOEPA laws have had an impact on the subprime market above and beyond the older preexisting laws, particularly for subprime originations. Broader coverage through these new laws is associated with higher origination likelihoods, while increased restrictions through the mini-HOEPA laws are associated with lower origination propensities

Data and Democracy

Herman B Wells Distinguished Lecture of the Institute and Society for Advanced Study given on September 21, 2001

Will the Net Turn Car Dealers into Dinosaurs? State Limits on Auto Sales Online

Many states have automobile franchise laws that impede or prohibit newcomers from entering the business of selling cars within certain local markets. The laws protect licensed local automobile dealers from certain types of competition; moreover, in many states those laws have the effect of prohibiting anyone except a licensed dealer from selling cars over the Internet. Defenders of the laws assert that they are necessary to protect consumers and dealers themselves. However, those laws harm consumers by impeding competition among sellers of cars. Several economic studies, including a study by the Federal Trade Commission, support that conclusion. In addition, state regulation of Internet commerce threatens to impede interstate commerce. The Constitution's commerce clause was intended to prevent states from erecting trade barriers that protect local businesses at the expense of national trade. The courts, therefore, will frown on states' trying to protect local dealers at the expense of consumers nationwide. The Internet is changing the traditional relationship among manufacturers, middlemen, and consumers. The middleman will not become extinct, but consumers will interact more with manufacturers, as often manufacturers are the best source of information about a product. Protectionist laws that make it harder to compete with traditional dealers harm consumers and will simply lead to stagnation. States should repeal laws that restrict online automobile sales before the Internet economy leaves their citizens behind