Erdem Aktas

Erdem Aktas

Security Researcher

  • Home
  • Research
  • Links
  • Blog
  • Contact
© Erdem Aktas

Research

  • Continuous, Low Overhead, Run-Time Validation of Program Executions

    Continuous, Low Overhead, Run-Time Validation of Program Executions

    Erdem Aktas, Furat Afram, Kanad Ghose

    Publication date: 2014/12/13
    Conference Name: Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture
    Pages: 229-241
    Publisher: IEEE Computer Society

    Description
    Abstract— The construction of trustworthy systems demands that the execution of every piece of code is validated as genuine, that is, the executed codes do exactly what they are supposed to do. Pre-execution validations of code integrity fail to detect run time compromises like code injection, return and jump-oriented programming, and illegal dynamic linking of program modules. We propose and evaluate a generalized mechanism called REV (for Run-time Execution Validator) that can be easily integrated into a contemporary out-of-order processor to validate, as the program executes, the control flow path and instructions executed along the control flow path. To prevent memory from being tainted by compromised code, REV also prevents updates to the memory from a basic block until its execution has been authenticated. Although control flow signature based authentication of an execution has been suggested before for software testing and for restricted cases of embedded systems, their extensions to out-of-order cores is a non-incremental effort from a microarchitectural standpoint. Unlike REV, the existing solutions do not scale with binary sizes, require binaries to be altered or require new ISA support and also fail to contain errors and, in general, impose a heavy performance penalty. We show, using a detailed cycle accurate micro architectural simulator for an out-of-order pipeline implementing the X86 ISA that the performance overhead of REV is limited to 1.87% on the average across the SPEC 2006 benchmarks.
    Keywords-component; Trusted Computing, Control-Flow Validation, Secure Execution, Control-Flow Integrity, Hardware Security, Computer Security
    See it on academia.edu
  • System and method for authenticating remote execution

    System and method for authenticating remote execution

    Inventors: Kanad Ghose, Erdem Aktas,

    Publication date: 2012/10/9
    Patent office: US
    Patent number: 8285999
    Application number: 12/631839

    Description
    With the widespread use of the distributed systems comes the need to secure such systems against a wide variety of threats. Recent security mechanisms are grossly inadequate in authenticating the program executions at the clients or servers, as the clients, servers and the executing programs themselves can be compromised after the clients and servers pass the authentication phase. A generic framework is provided for authenticating remote executions on a potentially untrusted remote server—essentially validating that what is …
    See it on Google Scholar
  • DARE: A framework for dynamic authentication of remote executions

    DARE: A framework for dynamic authentication of remote executions

    Erdem Aktas, Kanad Ghose

    Publication date: 2008/12/8
    Conference name: Computer Security Applications Conference, 2008. ACSAC 2008. Annual
    Pages: 453-462
    Publisher: IEEE

    Description
    Abstract With the widespread use of the distributed systems comes the need to secure such systems against a wide variety of threats. Recent security mechanisms are grossly inadequate in authenticating the program executions at the clients or servers, as the clients, servers and the executing programs themselves can be compromised after the clients and servers pass the authentication phase. This paper presents a generic framework for authenticating remote executions on a potentially untrusted remote server–essentially …
    See it on Google Scholar
  • Authenticating executions for trusted systems

    Authenticating executions for trusted systems

    Author: Erdem Aktas

    Publication date: 2013/11
    Institution: STATE UNIVERSITY OF NEW YORK AT BINGHAMTON

    Description
    Abstract: Constructing trustworthy computer systems requires validating that every executed
    piece of code is genuine and that the programs do exactly what they are supposed to do.
    However, pre-execution code integrity validations can fail to detect run-time compromises,
    such as code injection, return and jump-oriented programming, and illegal linking of code to
    compromised library functions. In this dissertation, we propose and investigate three distinct
    mechanisms for authenticating code execution at run-time. The common goal of these …
    See it on Google Scholar
  • Run-time control flow authentication: an assessment on contemporary x86 platforms

    Run-time control flow authentication: an assessment on contemporary x86 platforms

    Authors: Erdem Aktas, Kanad Ghose

    Publication date: 2013/3/18
    Conference Name: Proceedings of the 28th Annual ACM Symposium on Applied Computing
    Pages: 1859-1866
    Publisher: ACM

    Description
    Abstract: We propose and experimentally evaluate a technique of authenticating the execution of a program through the continuous run-time validation of control flow. Control flow authentication is useful in detecting security violations that alter the normal flow of control at run time through techniques such as call stack smashing, return and jump-oriented programming. Our technique relies on the use of existing support for branch tracing in contemporary processors, typified by the branch trace store (BTS) mechanism of …
    See it on Google Scholar
  • Energy-Aware Load Direction for Servers: A Feasibility Study

    Energy-Aware Load Direction for Servers: A Feasibility Study

    Authors: Shane Case, Furat Afram, Erdem Aktas, Kanad Ghose

    Publication date: 2012/2/15
    Conference Name: Parallel, Distributed and Network-Based Processing (PDP), 2012 20th Euromicro International Conference on
    Pages: 359-367
    Publisher: IEEE

    Description
    Abstract: We address the problem of improving the energy efficiency of servers that provide web-based services, including services provided through clouds. We propose an automated technique for allocating workload to servers to operate the fewest number of servers that are needed to cope with the instantaneous workload, leaving some headroom for workload surges. The technique requires no a priori knowledge about individual workloads and  manages the server states explicitly. We use synthetic scripts, a small server setup and …
    See it on Google Scholar