DirectAccess Security Hardening

This article presents a model of terrorist attacks as signals where the government is uncertain as to whether it is facing a group that is politically motivated or militant. Pooling equilibriums result with two types of ex post regret: P-regret, where the government concedes to political types that would not subsequently attack; and M-regret, where the government does not concede to militant types that subsequently attack at greater levels. Avoidance of such regret defines a measure of the value of intelligence. Counter-terrorism policy can then be characterized in terms of whether a government should focus on increased intelligence versus increased security (hardening targets). The recommended use of asset freezing is also evaluated in terms of the resources required by terrorists to achieve the various equilibriums. Finally, this article supports the empirical finding of intertemporal substitution of resources by terrorists, concerned with the level of government response to their attacks.

Download Full-text

Securely Sharing Randomized Code that Flies

Digital Threats: Research and Practice ◽

10.1145/3474558 ◽

2021 ◽

Author(s):

Christopher J ◽

Jinwoo Yom ◽

Changwoo Min ◽

Yeongjin Jang

Keyword(s):

Role Model ◽

Code Transformations ◽

Early Return ◽

Security Hardening ◽

Code Sharing ◽

Time Diversification ◽

Space Layout ◽

Integrated Or ◽

Address Space Layout Randomization ◽

With Memory

Address Space Layout Randomization (ASLR) was a great role model being a light-weight defense technique that could prevent early return-oriented programming attacks. Simple yet effective, ASLR was quickly widely-adopted. Conversely, today only a trickle of defense techniques are being integrated or adopted mainstream. As code reuse attacks have evolved, defenses have strived to keep up. To do so, many have had to take unfavorable tradeoffs like using background threads or protecting only a subset of sensitive code. In reality, these tradeoffs were unavoidable steps necessary to improve the strength of the state-of-the-art. We present Goose, an on-demand system-wide runtime re-randomization technique capable of scalable protection of application as well as shared library code most defenses have forgone. We achieve code sharing with diversification by implementing reactive and scalable, rather than continuous or one-time diversification. Enabling code sharing further removes redundant computation like tracking, patching, along with memory overheads required by prior randomization techniques. In its baseline state, the code transformations needed for Goose security hardening incur a reasonable performance overhead of 5.5% on SPEC and minimal degradation of 4.4% in NGINX, demonstrating its applicability to both compute-intensive and scalable real-world applications. Even when under attack, Goose only adds from less than 1% up to 15% depending on application complexity.

Download Full-text