Practical and Principled Security

Abstract

Most deployed defenses in software security are point solutions to specific attacks, leading to an arms race. Unfortunately many principled solutions remain undeployed partly due to complexity, but possibly also because of the false sense of security people perceive from point solutions. So are deployed solutions really good enough in practice? If not, how can we make principled solutions more practical and deployable?

Modern deployed protection mechanisms can in fact be defeated, as we show with our new Blind Return Oriented Programming (BROP) attack. Using BROP we exploited a recent vulnerability in the nginx web server, running on 64-bit Linux with ASLR, NX and canaries enabled. BROP also shows that hackers can sometimes exploit proprietary services for which the source and binary are unknown.

While there are established security principles that could have prevented BROP, unfortunately they are not deployed. For example, privilege separation suggests to split high-privilege applications into multiple lesser-privilege components. How to achieve this ideal in practice is not obvious: how do we split existing code, and how do we make the resulting decomposed system run fast? I'll briefly present Wedge, a privilege separation system that helps splitting existing code, and then focus on Dune, a generic platform that makes principled security practical: Dune leverages modern CPU hardware to make systems like Wedge run fast. Dune enables practical performance improvements in a range of applications beyond security, as well.