Address space layout randomization

Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. History The Linux PaX project first coined the term "ASLR", and published the first design and implementation of ASLR in July 2001 as a patch for the Linux kernel. It is seen as a complete implementation, providing also a patch for kernel stack randomization since October 2002. The first mainstream operating system to support ASLR by default was OpenBSD version 3.4 in 2003, followed by Linux in 2005. Benefits Address space randomization hinders some types of security attacks by making it more difficult f

About this result

This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.

Related publications (2)

Related publications

Related people

Related units

Related concepts (21)

Related concepts

Related courses (6)

Related courses

Related lectures (12)

Related lectures

Watermarking-based Defense against Adversarial Attacks on Deep Neural Networks

James Richard Larus, Xiaoting Li, Dinghao Wu, Junjun Zhang

The vulnerability of deep neural networks to adversarial attacks has posed significant threats to real-world applications, especially security-critical ones. Given a well-trained model, slight modifications to the input samples can cause drastic changes in the predictions of the model. Many methods have been proposed to mitigate the issue. However, the majority of these defenses have proven to fail to resist all the adversarial attacks. This is mainly because the knowledge advantage of the attacker can help to either easily customize the information of the target model or create a surrogate model as a substitute to successfully construct the corresponding adversarial examples. In this paper, we propose a new defense mechanism that creates a knowledge gap between attackers and defenders by imposing a designed watermarking system into standard deep neural networks. The embedded watermark is data-independent and non-reproducible to an attacker, which improves randomization and security of the defense model without compromising performance on clean data, and thus yields knowledge disadvantage to prevent an attacker from crafting effective adversarial examples targeting the defensive model. We evaluate the performance of our watermarking defense using a wide range of watermarking algorithms against four state-of-the-art attacks on different datasets, and the experimental results validate its effectiveness.

IEEE2021

TwinDrivers: Semi-Automatic Derivation of Fast and Safe Hypervisor Network Drivers from Guest OS Drivers

Aravind Menon, Simon Schubert, Willy Zwaenepoel

In a virtualized environment, device drivers are often run inside a virtual machine (VM) rather than in the hypervisor. Doing so protects the hypervisor from bugs in the driver, and also allows the reuse of the device driver and its support infrastructure in the VM. Unfortunately, this approach results in poor performance for I/O intensive devices such as network cards. The alternative approach is to run device drivers directly in the hypervisor. Although this approach results in better performance, it suffers from the loss of safety guarantees for the hypervisor, and incurs the software engineering cost of maintaining the driver support infrastructure. In this paper we present TwinDrivers, a framework which allows us to automatically create safe and efficient hypervisor drivers from guest OS drivers. The hypervisor driver runs directly in the hypervisor, but its data resides completely in the driver VM address space. A Software Virtual Memory mechanism allows the driver to access its VM data efficiently from the hypervisor running in any guest context, and also protects the hypervisor from invalid memory accesses from the driver. An upcall mechanism allows the hypervisor to largely reuse the driver support infrastructure present in the VM. The TwinDriver system thus combines the performance benefits of hypervisor-driver based approaches with the safety and software engineering benefits of VM driver based approaches. Using the TwinDrivers hypervisor driver, we are able to improve the guest domain networking performance in Xen by a factor of 2.4 for transmit workloads, and 2.1 for receive workloads. The resulting transmit perfomance is within 64% of native Linux performance, and the receive performance is within 67% of Linux performance.

ACM2009

CS-323: Introduction to operating systems

Introduction to basic concepts of operating systems.

COM-301: Computer security

This is an introductory course to computer security and privacy. Its goal is to provide students with means to reason about security and privacy problems, and provide them with tools to confront them.

CS-412: Software security

This course focuses on software security fundamentals, secure coding guidelines and principles, and advanced software security concepts. Students learn to assess and understand threats, learn how to design and implement secure software systems, and get hands-on experience with security pitfalls.

Buffer overflow

In programming and information security, a buffer overflow or buffer overrun is an anomaly whereby a program writes data to a buffer beyond the buffer's allocated memory, overwriting adjacent memory

Position-independent code

In computing, position-independent code (PIC) or position-independent executable (PIE) is a body of machine code that, being pl

IOS

iOS (formerly iPhone OS) is a mobile operating system developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the i