Accession Number : ADA623732


Title :   Preventing Exploits Against Software of Uncertain Provenance (PEASOUP)


Descriptive Note : Final rept. 26 Aug 2010-30 Nov 2013


Corporate Author : GRAMMATECH INC ITHACA NY


Personal Author(s) : Melski, David


Full Text : http://www.dtic.mil/get-tr-doc/pdf?AD=ADA623732


Report Date : May 2015


Pagination or Media Count : 257


Abstract : We describe the results of the research and development of PEASOUP (Preventing Exploits Against Software of Uncertain Provenance), a technology that enables the safe execution of software executables. PEASOUP provides the following capabilities: prevents exploits of number-handling weaknesses and memory-safety weaknesses; prevents OS command injections, OS command argument injections, SQL injections, and denial-of-service exploits based on inducing a null-pointer dereference; and prevents any exploit based on arc-injection or code-injection, regardless of the type of vulnerability targeted for attack. PEASOUP also offers experimental protection against exploit of many concurrency and resource drain vulnerabilities, including: file-system Time-Of-Check-to-Time-Of-Use (TOCTOU) vulnerabilities, use of non-reentrant functions in signal handlers, deadlock vulnerabilities, atomicity violations, memory leaks, and file-handle leaks. The PEASOUP effort advanced the state-of-the-art in automatic machine-code analysis, diversification, confinement, and remediation. Specific results include: a technique for preventing command injection attacks inspired by DNA Shotgun Sequencing, a technique that often allows server programs to remain operational after an attempted null-pointer dereference, improved integer-error analyses, improved protections for heap- and stack-allocated memory, novel techniques for analyzing file input types, and a superior design for a software dynamic translator that prevents attacks against the translator.


Descriptors :   *COMPUTER PROGRAMS , *COMPUTER SECURITY , ATTACK , ERRORS , PROTECTION , TEST AND EVALUATION , VULNERABILITY


Subject Categories : Computer Programming and Software
      Computer Systems Management and Standards


Distribution Statement : APPROVED FOR PUBLIC RELEASE