Shining Light On Shadow Stacks

Control-Flow Hijacking attacks are the dominant attack vector against C/C++ programs. Control-Flow Integrity (CFI) solutions mitigate these attacks on the forward edge,i.e., indirect calls through function pointers and virtual calls. Protecting the backward edge is left to stack canaries, which are easily bypassed through information leaks. Shadow Stacks are a fully precise mechanism for protecting backwards edges, and should be deployed with CFI mitigations. We present a comprehensive analysis of all possible shadow stack mechanisms along three axes: performance, compatibility, and security. For performance comparisons we use SPEC CPU2006, while security and compatibility are qualitatively analyzed. Based on our study, we renew calls for a shadow stack design that leverages a dedicated register, resulting in low performance overhead, and minimal memory overhead, but sacrifices compatibility. We present case studies of our implementation of such a design, Shadesmar, on Phoronix and Apache to demonstrate the feasibility of dedicating a general purpose register to a security monitor on modern architectures, and the deployability of Shadesmar. Our comprehensive analysis, including detailed case studies for our novel design, allows compiler designers and practitioners to select the correct shadow stack design for different usage scenarios.Comment: To Appear in IEEE Security and Privacy 201

VPS: Excavating high-level C++ constructs from low-level binaries to protect dynamic dispatching

Polymorphism and inheritance make C++ suitable for writing complex software, but significantly increase the attack surface because the implementation relies on virtual function tables (vtables). These vtables contain function pointers that attackers can potentially hijack and in practice, vtable hijacking is one of the most important attack vector for C++ binaries. In this paper, we present VTable Pointer Separation (vps), a practical binary-level defense against vtable hijacking in C++ applications. Unlike previous binary-level defenses, which rely on unsound static analyses to match classes to virtual callsites, vps achieves a more accurate protection by restricting virtual callsites to validly created objects. More specifically, vps ensures that virtual callsites can only use objects created at valid object construction sites, and only if those objects can reach the callsite. Moreover, vps explicitly prevents false positives (falsely identified virtual callsites) from breaking the binary, an issue existing work does not handle correctly or at all. We evaluate the prototype implementation of vps on a diverse set of complex, real-world applications (MongoDB, MySQL server, Node.js, SPEC CPU2017/CPU2006), showing that our approach protects on average 97.8% of all virtual callsites in SPEC CPU2006 and 97.4% in SPEC CPU2017 (all C++ benchmarks), with a moderate performance overhead of 11% and 9% geomean, respectively. Furthermore, our evaluation reveals 86 false negatives in VTV, a popular source-based defense which is part of GCC

Devil is Virtual: Reversing Virtual Inheritance in C++ Binaries

Complexities that arise from implementation of object-oriented concepts in C++ such as virtual dispatch and dynamic type casting have attracted the attention of attackers and defenders alike. Binary-level defenses are dependent on full and precise recovery of class inheritance tree of a given program. While current solutions focus on recovering single and multiple inheritances from the binary, they are oblivious to virtual inheritance. Conventional wisdom among binary-level defenses is that virtual inheritance is uncommon and/or support for single and multiple inheritances provides implicit support for virtual inheritance. In this paper, we show neither to be true. Specifically, (1) we present an efficient technique to detect virtual inheritance in C++ binaries and show through a study that virtual inheritance can be found in non-negligible number (more than 10\% on Linux and 12.5\% on Windows) of real-world C++ programs including Mysql and libstdc++. (2) we show that failure to handle virtual inheritance introduces both false positives and false negatives in the hierarchy tree. These false positves and negatives either introduce attack surface when the hierarchy recovered is used to enforce CFI policies, or make the hierarchy difficult to understand when it is needed for program understanding (e.g., during decompilation). (3) We present a solution to recover virtual inheritance from COTS binaries. We recover a maximum of 95\% and 95.5\% (GCC -O0) and a minimum of 77.5\% and 73.8\% (Clang -O2) of virtual and intermediate bases respectively in the virtual inheritance tree.Comment: Accepted at CCS20. This is a technical report versio

Luminiscente dating of fluvial deposits in the rock shelter of Cueva Antón, Spain.

The fluvial sediments at Cueva Antón, a Middle Palaeolithic rock shelter located in the valley of the River Mula (Southeast Spain), produced abundant lithic assemblages of Mousterian affinities. Radiocarbon dates are available for the upper part of the archaeological succession, while for the middle to lower parts chronometric data have been missing. Here we present luminescence dating results for these parts of the succession. Quartz OSL on small aliquots and single grain measurements yield ages ranging from 69 ± 7 ka to 82 ± 8 ka with a weighted mean of 72 ± 4 ka for sub-complexes AS2 to AS5. Equivalent dose estimates from large aliquots were highest and inconsistent with those from single grains and small multiple grain aliquots. This is probably caused by the presence of oversaturating grains, which have been quantified by single grain measurements. Additional post-IR IRSL measurements on coarse grained feldspar give strong support to a well-bleached quartz OSL signal. While independent chronometric control is missing, the results are within the expected age range and support the notion of a rapid accumulation of the fluvial deposits

Luminescence Dating in Fluvial Settings: Overcoming the Challenge of Partial Bleaching

Optically stimulated luminescence (OSL) dating is a versatile technique that utilises the two most ubiquitous minerals on Earth (quartz or K-feldspar) for constraining the timing of sediment deposition. It has provided accurate ages in agreement with independent age control in many fluvial settings, but is often characterised by partial bleaching of individual grains. Partial bleaching can occur where sunlight exposure is limited and so only a portion of the grains in the sample was exposed to sunlight prior to burial, especially in sediment-laden, turbulent or deep water columns. OSL analysis on multiple grains can provide accurate ages for partially bleached sediments where the OSL signal intensity is dominated by a single brighter grain, but will overestimate the age where the OSL signal intensity is equally as bright (often typical of K-feldspar) or as dim (sometimes typical of quartz). In such settings, it is important to identify partial bleaching and the minimum dose population, preferably by analysing single grains, and applying the appropriate statistical age model to the dose population obtained for each sample. To determine accurate OSL ages using these age models, it is important to quantify the amount of scatter (or overdispersion) in the well-bleached part of the partially bleached dose distribution, which can vary between sediment samples depending upon the bedrock sources and transport histories of grains. Here, we discuss how the effects of partial bleaching can be easily identified and overcome to determine accurate ages. This discussion will therefore focus entirely on the burial dose determination for OSL dating, rather than the dose-rate, as only the burial doses are impacted by the effects of partial bleaching

Genetic identification of brain cell types underlying schizophrenia

With few exceptions, the marked advances in knowledge about the genetic basis of schizophrenia have not converged on findings that can be confidently used for precise experimental modeling. Applying knowledge of the cellular taxonomy of the brain from single-cell RNA-sequencing, we evaluated whether the genomic loci implicated in schizophrenia map onto specific brain cell types. We found that the common variant genomic results consistently mapped to pyramidal cells, medium spiny neurons, and certain interneurons but far less consistently to embryonic, progenitor, or glial cells. These enrichments were due to sets of genes specifically expressed in each of these cell types. We also found that many of the diverse gene sets previously associated with schizophrenia (synaptic genes, FMRP interactors, antipsychotic targets, etc.) generally implicate the same brain cell types. Our results suggest a parsimonious explanation: the common-variant genetic results for schizophrenia point at a limited set of neurons, and the gene sets point to the same cells. The genetic risk associated with medium spiny neurons did not overlap with that of glutamatergic pyramidal cells and interneurons, suggesting that different cell types have biologically distinct roles in schizophrenia