REARM: Protecting ARM Binaries via Load-time Reduction and Run-time Read-Protection

Abstract

Reducing attack surface of software by removing unused code (i.e., software debloating) has been shown as a promising countermeasure against exploitations. However, this research direction is still in its early stage of development and faces major limitations and challenges. First, existing works can only remove a small subset of unnecessary cod due to the intrinsic over-approximation (or unsoundness) of code reachability analysis. Second, existing works offer no protection to unremovable code, which often contains enough vulnerabilities and reusable code gadgets that are needed for successful exploitations. Third, existing works usually target programs built for x86 platforms while leaving out other increasingly important architectures, such as ARM.In this project, we will overcome these limitations and challenges via a new approach to software debloating. We will design and build REARM, a framework that can: (1) perform load-time reduction of ARM binaries (i.e., on-demand and learningbased loading of code); (2) enforce run-time read-protection of loaded code (i.e., transforming and mapping code to hidden, execute-only memory pages). REARM will work on COTS (commercial off the shelf) binaries and not require any assistance from developers or end users. REARM starts programs with a minimum amount of code pages loaded from executables. When an absent code page is needed during a program execution, REARM checks if the current control flow transfer to that absent page complies with the statically constructed program dependence graph. It only loads the page when the check passes. REARM can learn frequently used program features and hot code pages on the fly, and then use the knowledge to pre-load heavily dependent code pages in future program runs. In addition, REARM dynamically transforms code being loaded. It maps code into executable-only memory pages, relocates embedded data in such pages, and updates data references and symbol information accordingly. This transformation, without breaking program executions or permanently changing executable files, protects loaded code (i.e., unremovable code) against exploitations and ROP gadget searches. Our preliminary results show that REARM is capable of significantly reducing the amount of code loaded in memory for applications, shared libraries, and kernel drivers, without interrupting normal program executions. Moreover, REARM can effectivelymitigate manipulations and attacks of loaded code.

Document Details

Document Type

DoD Grant Award

Publication Date

Mar 03, 2017

Source ID

N000141712227

Entities

Tags