MINESTRONE: Identifying and containing
software vulnerabilities

Description →
Participants →
Publications →
Projects →
News →


Instruction-set Randomization (ISR)
Instruction-set randomization (ISR) is a technique based on randomizing the "language" understood by a system to protect it from code-injection attacks. Such attacks were used by many computer worms in the past, but still pose a threat as it was confirmed by the recent Conficker worm outbreak, and the latest exploits targeting some of Adobe's most popular products. We created a tool that offers a fast and practical implementation of ISR that (more...)

Defending Against Code-Reuse Attacks
The wide adoption of protection mechanisms such as non-executable pages (W^X) and Data Execution Prevention (DEP), has given rise to a new type of attacks, known as code-reuse attacks, which achieve arbitrary code execution without the injection of any attacker-supplied code. In this project, we aim to hinder code-reuse attacks by breaking the assumptions that the attacker can make about the process code image. (more ...)

REASSURE: A Self-contained Mechanism for Healing Software Using Rescue Points
Software failures in server applications are a significant problem for preserving system availability. Rescue points are a known mechanism for recovering software from unknown faults. REASSURE is a self-containted system that uses the Pin DBI framework to apply (more...)

Older Projects

You can find older projects of the group here.

Latest News

Our paper "ShadowReplica: Efficient Parallelization of Dynamic Data Flow Tracking" is to appear in the 20th ACM Conference on Computer and Communications Security (CCS).
Our paper "Parrot: a Practical Runtime for Deterministic, Stable, and Reliable Threads" is to appear in the 24th ACM Symposium on Operating Systems Principles (SOSP).
Our paper "An Accurate Stack Memory Abstraction and Symbolic Analysis Framework for Executables" is to appear in the 29th IEEE International Conference on Software Maintenance (ICSM).
Our paper "Transparent ROP Exploit Mitigation using Indirect Branch Tracing" is to appear in the 22nd USENIX Security Symposium.
Our paper "MINESTRONE: Testing the SOUP" is to appear in the 6th Workshop on Cyber Security Experimentation and Test (CSET).
This work is supported by the United States Air Force Research Laboratory (AFRL) through Contract FA8650-10-C-7024. Opinions, findings, conclusions and recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the US Government, or the Air Force.