Concurrency Attacks and Defenses

Multithreaded programs are getting increasingly pervasive and critical. Unfortunately, they remain extremely difficult to write. This difficulty has led to many subtle but serious concurrency vulnerabilities such as race conditions in real-world multithreaded programs. Just as vulnerabilities in sequential programs can lead to security exploits, concurrency vulnerabilities can also be exploited by attackers to gain privilege, steal information, inject arbitrary code, etc. Concurrency attacks targeting these vulnerabilities are impending (see CVE http://www.cvedetails.com/vulnerability-list/cweid-362/vulnerabilities.html), yet few existing defense techniques can deal with concurrency vulnerabilities. In fact, many of the traditional defense techniques are rendered unsafe by concurrency vulnerabilities. The objective of this project is to take a holistic approach to creating novel program analysis/protection techniques and a system called DASH to secure multithreaded programs and harden traditional defense techniques in a concurrency environment. We do so by selectively combining static and dynamic techniques, thus getting the best of both worlds. We anticipate numerous contributions from this project; the main ones are: (1) a thorough understanding of concurrency attacks and their implications to traditional defense techniques; (2) accurate and effective techniques to detect, avoid, and survive concurrency vulnerabilities; and (3) hardening of traditional defense techniques for multithreaded programs. The greatest impact of our project is a novel approach and the DASH system for improving software security and reliability, thus greatly benefiting the Nation's cyber security. DASH can also be used for offense: the Military can gain new competitive means in cyber warfare by running DASH to identify concurrency vulnerabilities in the infrastructure of hostile nations.