The inability of programmers to write vulnerability free code is the most pressing problem in practical computer systems security. The most serious class of vulnerabilities is memory vulnerabilities, which generally allow an attacker to subvert the program's control flow. In response to this problem, generic mitigations have been widely deployed that, through changes to the operating system and processor, seek to make it impossible for attackers to exploit errors in programs.
Implementers considering deploying such mitigations must know how much (if at all) a generic mitigation improves security and what its costs are if they are to allocate R&D resources wisely. Unfortunately, until recently, the benefits of generic mitigations were studied only superficially. Recent first steps have already shed some light, showing, e.g., that the widely deployed "W-xor-X" mitigation provides no security benefit whatsoever.
This project puts imperfect, ad-hoc mitigation on a scientific footing. It provides a formal, comprehensive analysis to determine the cost-benefit equation is for generic mitigations.
The project begins by producing quantitative analyses of current mitigation techniques and of attacks; these analyses facilitate the creation of new mitigations that resist attacks that foil current mitigations; these new mitigations are implemented, evaluated, and disseminated. In addition, the project develops a sandboxed environment for experimenting with software vulnerabilities and malicious code, and a curriculum for teaching systems security.
The results will be better use of implementation resources for vendors; a more secure legacy software environment for users; and better security education for the next generation of programmers, so they will not make the mistakes earlier ones did.
