Attack Surface Reduction for Binary Programs

Abstract

Programs tend to accumulate features over time. Adding features to programs increases their size and complexity.This, in turn, typi"cally raises the number of exploitable vulnerabilities they contain even when many of these featuresgo unused. Vulnerabilities in dormant code are often exploited in the wild long before a security update is available.Reducing the attack surface at the source co"de level is often impractical. For proprietary software, the source code isusually only available to its vendor, and not released e""ven after that vendor stops maintaining the software. For open00 06/29/17source software, the source code might be available to th""e user, but the compiler is often unable to remove dormantcode because the compiler must conservatively assume that the code is sti"ll needed by external program modules.We propose to reduce the attack surface of complex programs through feature removal and hardening at the binarylevel. Our approach is based on selective lifting of binary code to a higherlevel intermediate representation (IR) whichlends itself to aggressive optimization and hardening using regular compiler passes. Binary lifting makes it possible toquickly and efficiently adapt software to new usage requirements and new threats without requiring any cooperationfrom the original pr"ogram author or vendor.Analyzing binaries is far more challenging than source-based analysis, because the translation to machine co""de stripsaway lots of high-level semantic information. It is therefore generally very hard to perform lifting entirely statically,"" i.e.,reliably recover program structures such as function boundaries without executing the program. On the other hand, it isalso" very difficult to perform lifting entirely dynamically since this requires driving execution down all possible programpaths.Contr"ary to existing frameworks that attempt to statically lift an entire input program, our proposed project will integratedynamic and" static techniques to identify and lift only the essential parts of the program code to IR. We will performresearch on identifying such essential parts of a program automatically. We will also create tools for administrators formanually designating specific par"ts of a program as essential and other parts for removal, with the systemautomatically determining the status of the remaining prog"ram parts based on mutual dependencies. We will then runaggressive optimization and hardening passes on the lifted IR code. The out"put of our framework will be a new binaryprogram containing only the essential functionality of the input program, with a far small""er attack surface.Pruning a program in this manner may, in some cases, lead to the situation that the end user invokes functionalit""y thatwas present in the original program, but that was removed during recompilation/rewriting. We intend to investigatedifferent"" fallback mechanisms to handle such situations. For example, a fallback mechanism could consist of emulatingthe original functional""ity in a strongly isolated environment, ensuring that the code in question doesn~t cause any harmto the target system, but at the c""ost of reduced performance for the emulated parts.If successful, our project will create significant new capabilities for handling"" binary code. In the long term, having a newmethod for adapting legacy binaries as platforms evolve will lead to major cost savings"". But even more importantly,and in the much shorter term, our approach is an enabling technology for client-side removal of softwar""evulnerabilities, without having to wait for the original author of the software to release a patch. In the context of theNavy, in"" which ships are often at sea for extended periods and far away from higher-level computing support, this couldwell prove to be a p"ivotal new defense mechanism against the rapidly rising tide of malware threats.

Document Details

Document Type

DoD Grant Award

Publication Date

Sep 29, 2017

Source ID

N000141712782

Entities

Tags