ret2spec: Speculative Execution Using Return Stack Buffers

Speculative execution is an optimization technique that has been part of CPUs for over a decade. It predicts the outcome and target of branch instructions to avoid stalling the execution pipeline. However, until recently, the security implications of speculative code execution have not been studied. In this paper, we investigate a special type of branch predictor that is responsible for predicting return addresses. To the best of our knowledge, we are the first to study return address predictors and their consequences for the security of modern software. In our work, we show how return stack buffers (RSBs), the core unit of return address predictors, can be used to trigger misspeculations. Based on this knowledge, we propose two new attack variants using RSBs that give attackers similar capabilities as the documented Spectre attacks. We show how local attackers can gain arbitrary speculative code execution across processes, e.g., to leak passwords another user enters on a shared system. Our evaluation showed that the recent Spectre countermeasures deployed in operating systems can also cover such RSB-based cross-process attacks. Yet we then demonstrate that attackers can trigger misspeculation in JIT environments in order to leak arbitrary memory content of browser processes. Reading outside the sandboxed memory region with JIT-compiled code is still possible with 80\% accuracy on average.Comment: Updating to the cam-ready version and adding reference to the original pape

Accurate Coverage Metrics for Compiler-Generated Debugging Information

Many debugging tools rely on compiler-produced metadata to present a source-language view of program states, such as variable values and source line numbers. While this tends to work for unoptimised programs, current compilers often generate only partial debugging information in optimised programs. Current approaches for measuring the extent of coverage of local variables are based on crude assumptions (for example, assuming variables could cover their whole parent scope) and are not comparable from one compilation to another. In this work, we propose some new metrics, computable by our tools, which could serve as motivation for language implementations to improve debugging quality

On the Effectiveness of Hardware Enforced Control Flow Integrity

Defenses such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and stack canaries have been circumvented by recent exploits. As a result, security researchers have turned towards Control Flow Integrity (CFI) to defend systems. Previous attempts to achieve CFI have tried to remain efficient and practical, but were exploitable. The NSA proposed a CFI system which integrates new hardware and program instrumentation. The purpose of this research is to assess and improve this proposal. In this paper, the system is exploited through the development of simple, vulnerable programs. It is shown to be effective in mitigating Jump Oriented Programming (JOP) attacks through an algorithm introduced as part of this work. Finally, different approaches are proposed to improve upon this system while their merits and issues are assessed

The value of X-ray chest screening

Paper read at the 1973 Annual Meeting of the Association of Physicians and Surgeons of Malta. Two cases of serious thoracic disease were discovered on routine Chest X-Ray screening in 150 schoolboys: one student being found to be suffering from ganglioneuroma, the other from coarctation of the aorta. Both were symptom free and both required thoracic surgery. The purpose of this paper is to emphasize and illustrate a well-known fact; the value of screening in the community. The example used is Chest X-Ray Screening.peer-reviewe

Endogent: Centre for Anatomy and Invasive Techniques

The invention of new endoscopical techniques for surgery and interventional radiology demand improved training at postgraduate level. The Endogent Centre for Anatomy and Invasive Techniques support these requirements by establishing hands-on practical training courses by using new procedures for cadaver embalming. Cadavers fixed by conventional procedures using formalin for conservation, are of limited use for practical surgical courses due to the profound changes of colour, strength and fragility of organs and tissues. The new Thiel embalming technique is based on the use of 4-chloro-3- methylenphenol, various salts for fixation, boric acid for disinfecting, and ethylene glycol for preservation of tissue plasticity, while the concentration of formalin is kept to the strict minimum (0.8%). This results in well preserved organs and tissues concerning colour, consistency, flexibility and plasticity. The articular joints remain freely movable and the peritoneal cavity can be inflated for laparoscopic procedures. Up to now this cadaver model was used in our institute for laparoscopic bariatric surgery, colon surgery, arthroscopy and thorax surgery. Another feature is that the lungs can be ventilated during surgical procedures. Preliminary findings seem to indicate that the corpses also serve as a suitable phantom for assessing thorax radiological equipment. Expert clinicians work as tutors and give intensive instructions before the participants start with hands-on surgery. We intend to expose also our undergraduate medical students to demonstrations of surgical approaches on Thiel embalmed corpses, in order to reveal the need for detailed anatomical knowledge in the clinic at an early stage in the medical curriculum