Memory corruption vulnerabilities (e.g., in C/C++ programs) are a primary way attackers defeat modern cyber defenses such as anti-virus, whitelisting, and trusted computing. All large software systems generally have these bugs, including systems with extensive testing and auditing processes. Even most “memory safe” programming languages, such as Java, Python and Javascript depend on runtime environments and system libraries that are implemented in C/C++ and regularly have new memory vulnerabilities discovered in their code. New Common Vulnerabilities and Exposures (CVE) reports are created every month showing successful exploitation of these vulnerabilities.
The exploit problem is so severe that much of the current cyber defense research simply assumes system compromise via exploitation is certain to happen and instead focuses on recognizing and cleaning up the attacks after the fact with network monitoring, integrity checking, forensics, sandboxing, and automated recovery systems. This assumption arises from the current defensive strategy against exploits is a time consuming game of “whack-a-mole” to find memory vulnerabilities in commonly used software and patch the bugs one-by-one. The vulnerabilities are therefore typically not found until after a successful cyber attack has occurred. Even when the vulnerabilities are discovered ahead of time by defenders, there is still a window of opportunity for attackers in between the announcement of a patch and the deployment of the patch across the world. Thus, the current situation creates an environment in which defenders must find all vulnerabilities whereas the attacker need only find one. Thus, attackers have a distinct advantage that can even provide advanced persistent threats to nation-state resources, such as the military and defense industrial base, which are at risk for espionage and sabotage.
Accordingly, it may be desirable to continue to develop improved mechanisms for providing defense against memory vulnerability exploits. Moreover, it may be desirable to recognize the bottlenecks in the process of exploiting computer systems so that common patterns of memory corruptions in deployed systems can be recognized as soon as they happen and stopped before they can achieve arbitrary execution. Current technologies that are robust enough to identify memory corruption have too much overhead to use in deployed systems and cannot be used at runtime. Thus, it may also be desirable to provide a solution with low enough overhead to permit runtime execution.