Threat Detection and Defenses:

Software Security and Defenses

Legacy Code Protection. Just-In-Time Vulnerability Protection.


Malware constitutes one of the largest security threats in our digitized society. Malware infests consumer systems with, e.g., ransomware that aims at blackmailing victims, or it is used for espionage and cyber sabotage. Malware infests systems because of software vulnerabilities. Unfortunately, those vulnerabilities are often based on the very fundamental way processors work: this makes it difficult to prevent existing and future vulnerabilities.


Legacy Code Protection Against Run-Time Attacks. One of the fundamental characteristics of computer systems is their versatility - they can run arbitrary software by blindly executing each command that is given to them. This strong suit of computers, that software can be changed during run-time, is at the same time their weakest point. In the past, several such ways of changing a program's behavior during run-time have emerged and are actively being used by adversaries to impose their behavior on a running process. This research line focuses on mitigating exploits based on e.g. ROP by applying language-level, OS-level or hypervisor-level protection, thereby protecting legacy programs. This is intentionally complementing the more revolutionary approach of proposing the use of safer programming languages, since this pragmatic approach results in an immediate, additional layer of protection.

Just-In-Time Vulnerability Protection. Several powerful attacks abuse the possibility to read or even transform a program's own code. Such introspection methods are usually not necessary for benign general-purpose programs. However, attackers exploit that capability to reveal hidden information stored in the memory of a process. We have therefore systematically analyzed the root cause of such vulnerabilities and also proposed defense mechanisms. One contributing factor to the underlying memory disclosure vulnerabilities is a hardware design decision that we successfully remedied by proposing a new hardware and software primitive XnR. The other reason is that JIT compilers (e.g., in browsers) put the attacker in control of the code layout, with no need to even read the generated code. This has lead us to propose new defense mechanisms to protect against JIT-based code-reuse attacks in browsers and to enhance the security of JIT-generated code. These solutions are complementary to formal verification and static analysis.