Search for: All records

Control-flow integrity (CFI) is a widely adopted defense against control-flow hijacking attacks, designed to restrict indirect control transfers to a set of legitimate targets. However, even under a precise static CFI policy, attackers can still hijack control flow through function substitution attacks (SUB attacks), by replacing one valid target with another that remains within the allowed set. While prior work has demonstrated the feasibility of such attacks through manual construction, no approach constructs them systematically, scalably, and in an end-to-end manner. In this work, we present SACK, the first systematic framework for automatically constructing SUB attacks at scale. SACK collects triggered indirect call targets from benign executions and synthesizes security oracles with the assistance of a large language model. It then automatically performs target substitutions and leverages security oracles to detect security violations, while ensuring that execution strictly adheres to precise CFI policies. We apply SACK to seven widely used applications and successfully construct 419 SUB attacks that compromise critical security features. We further develop five end-to-end exploits based on historical bugs in SQLite3, V8 and Nginx, enabling arbitrary command execution or authentication bypass. Our results demonstrate that SACK provides a scalable and automated pipeline capable of uncovering large numbers of end-to-end attacks across diverse applications. 

Abstract Localized states in two-dimensional (2D) transition metal dichalcogenides (TMDCs) have been the subject of intense study, driven by potential applications in quantum information science. Despite the rapidly growing knowledge surrounding these emitters, their microscopic nature is still not fully understood, limiting their production and application. Motivated by this challenge, and by recent theoretical and experimental evidence showing that nanowrinkles generate strain-localized room-temperature emitters, we demonstrate a method to intentionally induce wrinkles with collections of stressors, showing that long-range wrinkle direction and position are controllable with patterned array design. Nano-photoluminescence (nano-PL) imaging combined with detailed strain modeling based on measured wrinkle topography establishes a correlation between wrinkle properties, particularly shear strain, and localized exciton emission. Beyond the array-induced wrinkles, nano-PL spatial maps further reveal that the strain environment around individual stressors is heterogeneous due to the presence of fine wrinkles that are less deterministic. At cryogenic temperatures, antibunched emission is observed, confirming that the nanocone-induced strain is sufficiently large for the formation of quantum emitters. At 300 K, detailed nanoscale hyperspectral images uncover a wide range of low-energy emission peaks originating from the fine wrinkles, and show that the states can be tightly confined to regions <10 nm, even in ambient conditions. These results establish a promising potential route towards realizing room temperature quantum emission in 2D TMDC systems. 

First-order phase transitions produce abrupt changes to the character of both ground and excited electronic states. Here we conduct electronic compressibility measurements to map the spin phase diagram and Landau level (LL) energies of monolayer ${\mathrm{WSe}}_2$in a magnetic field. We resolve a sequence of first-order phase transitions between completely spin-polarized LLs and states with LLs of both spins. Unexpectedly, the LL gaps are roughly constant over a wide range of magnetic fields below the transitions, which we show reflects spin-polarized ground states with opposite spin excitations. These transitions also extend into compressible regimes, with a sawtooth boundary between full and partial spin polarization. We link these observations to the important influence of LL filling on the exchange energy beyond a smooth density-dependent contribution. Our results show that ${\mathrm{WSe}}_2$realizes a unique hierarchy of energy scales where such effects induce reentrant magnetic phase transitions tuned by density and magnetic field. Published by the American Physical Society2024 

As control-flow protection techniques are widely deployed, it is difficult for attackers to modify control data, like function pointers, to hijack program control flow. Instead, data-only attacks corrupt security-critical non-control data (critical data), and can bypass all control-flow protections to revive severe attacks. Previous works have explored various methods to help construct or prevent data-only attacks. However, no solution can automatically detect program-specific critical data. In this paper, we identify an important category of critical data, syscall-guard variables, and propose a set of solutions to automatically detect such variables in a scalable manner. Syscall-guard variables determine to invoke security-related system calls (syscalls), and altering them will allow attackers to request extra privileges from the operating system. We propose branch force, which intentionally flips every conditional branch during the execution and checks whether new security-related syscalls are invoked. If so, we conduct data-flow analysis to estimate the feasibility to flip such branches through common memory errors. We build a tool, VIPER, to implement our ideas. VIPER successfully detects 34 previously unknown syscall-guard variables from 13 programs. We build four new data-only attacks on sqlite and v8, which execute arbitrary command or delete arbitrary file. VIPER completes its analysis within five minutes for most programs, showing its practicality for spotting syscall-guard variables.