Software-Based Techniques for Protecting Return Addresses

Protecting computing systems against cyberattacks should be put high on the agenda. For example, Colonial Pipeline, an American oil pipeline system, suffered a cyberattack that impacted its computerized equipment managing the pipeline, leading to a state of emergency declared by President Joe Biden in May, 2021. As reported by Microsoft Security Response Center, attackers are unanimously corrupting the stack and most Control Flow Guard (CFG) improvements will provide little value-add until stack protection loads. Shadow stacks play an important role in protecting backward edges (return addresses on the call stack) to mitigate Return-Oriented Programming (ROP) attacks. Control-Flow Integrity (CFI) techniques often focus on protecting forward edges (indirect calls via function pointers and virtual calls) and assume that backward edges are protected by shadow stacks. However, the cruel reality is that shadow stacks are still not widely deployed due to compatibility, performance or security deficiencies. In this thesis, we propose three novel techniques for protecting return addresses. First, by adding one level of indirection, we introduce BarRA, the first shadow stack mechanism that applies continuous runtime re-randomization to abstract return addresses for protecting their corresponding concrete return addresses (also protected by CFI) for single-threaded programs, thus avoiding expensive pointer tracking. As a nice side-effect, BarRA naturally combines the shadow stack, CFI and runtime re-randomization in the same framework. Second, without reserving any dedicated register, we propose a novel threadlocal storage mechanism, STK-TLS, that is both efficient and free of compatibility issues. We also present a new microsecond-level runtime re-randomization technique (without relying on information hiding or MMU), STK-MSR, to mitigate information disclosure attacks and protect the shadow stack with 64-bit entropy. Based on STK-TLS and STK-MSR, we have implemented a novel stack layout (referred to as Bustk), that is highly performant, compatible with existing code, and provides meaningful security for single- and multi-threaded server programs. Third, by fast-moving safe regions in the large 47-bit user space (based on MMU), we design a practical shadow stack, FlashStack, for protecting return addresses in single- and multi-threaded programs (including browsers) running under 64-bit Linux on x86-64. FlashStack introduces a novel lightweight instrumentation mechanism, a continuous shuffling scheme for the shadow stack in user space, and a new dual-prologue approach for a protected function to mitigate the TOCTTOU attacks (constructed by Microsoft s red team), information disclosure attacks, and crash-resistant probing attacks

Towards Accurate One-Stage Object Detection with AP-Loss

One-stage object detectors are trained by optimizing classification-loss and localization-loss simultaneously, with the former suffering much from extreme foreground-background class imbalance issue due to the large number of anchors. This paper alleviates this issue by proposing a novel framework to replace the classification task in one-stage detectors with a ranking task, and adopting the Average-Precision loss (AP-loss) for the ranking problem. Due to its non-differentiability and non-convexity, the AP-loss cannot be optimized directly. For this purpose, we develop a novel optimization algorithm, which seamlessly combines the error-driven update scheme in perceptron learning and backpropagation algorithm in deep networks. We verify good convergence property of the proposed algorithm theoretically and empirically. Experimental results demonstrate notable performance improvement in state-of-the-art one-stage detectors based on AP-loss over different kinds of classification-losses on various benchmarks, without changing the network architectures. Code is available at https://github.com/cccorn/AP-loss.Comment: 13 pages, 7 figures, 4 tables, main paper + supplementary material, accepted to CVPR 201

A novel gas ionization sensor using Pd nanoparticle-capped ZnO

A novel gas ionization sensor using Pd nanoparticle-capped ZnO (Pd/ZnO) nanorods as the anode is proposed. The Pd/ZnO nanorod-based sensors, compared with the bare ZnO nanorod, show lower breakdown voltage for the detected gases with good sensitivity and selectivity. Moreover, the sensors exhibit stable performance after more than 200 tests for both inert and active gases. The simple, low-cost, Pd/ZnO nanorod-based field-ionization gas sensors presented in this study have potential applications in the field of gas sensor devices

The emergence of global phase coherence from local pairing in underdoped cuprates

In conventional metal superconductors such as aluminum, the large number of weakly bounded Cooper pairs become phase coherent as soon as they start to form. The cuprate high critical temperature ($T_c$) superconductors, in contrast, belong to a distinctively different category. To account for the high $T_c$, the attractive pairing interaction is expected to be strong and the coherence length is short. Being doped Mott insulators, the cuprates are known to have low superfluid density, thus are susceptible to phase fluctuations. It has been proposed that pairing and phase coherence may occur separately in cuprates, and $T_c$ corresponds to the phase coherence temperature controlled by the superfluid density. To elucidate the microscopic processes of pairing and phase ordering in cuprates, here we use scanning tunneling microscopy to image the evolution of electronic states in underdoped $\rm Bi_2La_xSr_{2-x}CuO_{6+{\delta}}$. Even in the insulating sample, we observe a smooth crossover from the Mott insulator to superconductor-type spectra on small islands with chequerboard order and emerging quasiparticle interference patterns following the octet model. Each chequerboard plaquette contains approximately two holes, and exhibits a stripy internal structure that has strong influence on the superconducting features. Across the insulator to superconductor boundary, the local spectra remain qualitatively the same while the quasiparticle interferences become long-ranged. These results suggest that the chequerboard plaquette with internal stripes plays a crucial role on local pairing in cuprates, and the global phase coherence is established once its spatial occupation exceeds a threshold

Emergent normal fluid in the superconducting ground state of overdoped cuprates

The microscopic mechanism for the disappearance of superconductivity in overdoped cuprates is still under heated debate. Here we use scanning tunneling spectroscopy to investigate the evolution of quasiparticle interference phenomenon in $\rm Bi_2Sr_2CuO_{6+\delta}$ over a wide range of hole densities. We find that when the system enters the overdoped regime, a peculiar quasiparticle interference wavevector with quarter-circle pattern starts to emerge even at zero bias, and its intensity grows with increasing doping level. Its energy dispersion is incompatible with the octet model for d-wave superconductivity, but is highly consistent with the scattering interference of gapless normal carriers. The weight of the gapless quasiparticle interference is mainly located at the antinodes and is independent of temperature. We propose that the normal fluid emerges from the pair-breaking scattering between flat antinodal bands in the quantum ground state, which is the primary cause for the reduction of superfluid density and suppression of superconductivity in overdoped cuprates

Particle-hole asymmetric superconducting coherence peaks in overdoped cuprates

To elucidate the superconductor to metal transition at the end of superconducting dome, the overdoped regime has stepped onto the center stage of cuprate research recently. Here, we use scanning tunneling microscopy to investigate the atomic-scale electronic structure of overdoped trilayer Bi-2223 and bilayer Bi-2212 cuprates. At low energies the spectroscopic maps are well described by dispersive quasiparticle interference patterns. However, as the bias increases to the superconducting coherence peak energy, a virtually non-dispersive pattern with sqrt(2)*sqrt(2) periodicity emerges. Remarkably, the position of the coherence peaks exhibits evident particle-hole asymmetry which also modulates with the same period. We propose that this is an extreme quasiparticle interference phenomenon, caused by pairing-breaking scattering between flat anti-nodal Bogoliubov bands, which is ultimately responsible for the superconductor to metal transition.Comment: 15 pages, 4 figure

Charge redistribution, charge order and plasmon in La2−x_{2-x}Srx_{x}CuO4_{4}/La2_{2}CuO4_{4} superlattices

Interfacial superconductors have the potential to revolutionize electronics, quantum computing, and fundamental physics due to their enhanced superconducting properties and ability to create new types of superconductors. The emergence of superconductivity at the interface of La$_{2-x}$Sr$_{x}$CuO$_{4}$/La$_{2}$CuO$_{4}$ (LSCO/LCO), with a T$_c$ enhancement of $\sim$ 10 K compared to the La$_{2-x}$Sr$_{x}$CuO$_{4}$ bulk single crystals, provides an exciting opportunity to study quantum phenomena in reduced dimensions. To investigate the carrier distribution and excitations in interfacial superconductors, we combine O K-edge resonant inelastic X-ray scattering and atomic-resolved scanning transmission electron microscopy measurements to study La$_{2-x}$Sr$_{x}$CuO$_{4}$/La$_{2}$CuO$_{4}$ superlattices (x=0.15, 0.45) and bulk La$_{1.55}$Sr$_{0.45}$CuO$_{4}$ films. We find direct evidence of charge redistribution, charge order and plasmon in LSCO/LCO superlattices. Notably, the observed behaviors of charge order and plasmon deviate from the anticipated properties of individual constituents or the average doping level of the superlattice. Instead, they conform harmoniously to the effective doping, a critical parameter governed by the T$_c$ of interfacial superconductors.Comment: 8 pages, 5 figure