MUSTI: Dynamic Prevention of Invalid Object Initialization Attacks
English
Bartel, Alexandre[University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Klein, Jacques[University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC) >]
Le Traon, Yves[University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > Computer Science and Communications Research Unit (CSC) >]
[en] Invalid object initialization vulnerabilities have been identified since the 1990’s by a research group at Princeton University. These vulnerabilities are critical since they can be used to totally compromise the security of a Java virtual machine.Recently, such a vulnerability identified as CVE-2017-3289 has been found again in the bytecode verifier of the JVM and affects more than 40 versions of the JVM. In this paper, we present a runtime solution called MUSTIto detect and prevent attacks leveraging this kind of critical vulnerabilities. We optimize MUSTI to have a runtime overhead below 0.5% and a memory overhead below 0.42%. Compared to state-of-the-art, MUSTI is completely automated and does not require to manually annotate the code.
[University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
