REARM: Protecting ARM Binaries via Load-time Reduction and Run-time Read-Protection.

Abstract

Abstract for SOW Field:Reducing attack surface of software by removing unused code (i.e., software debloating) has been shown as a"" promising countermeasure against exploitations. However, this research direction is still in its early stage of development and fac""es major limitations and challenges. First, existing works can only remove a small subset of unnecessary code due to the intrinsic o""ver-approximation (or unsoundness) of code reachability analysis. Second, existing works offer no protection to unremovable code, wh""ich often contains enough vulnerabilities and reusable code gadgets that are needed for successful exploitations. Third, existing wo""rks usually target programs built for x86platforms while leaving out other increasingly important architectures, such as ARM.In t""his project, we will overcome these limitations and challenges via a new approach to software debloating. We will design and build R""EARM, a framework that can: (1) perform load-time reduction of ARM binaries (i.e., on-demand and learning-based loading of code); (2"") enforce run-time read-protection of loaded code (i.e., transforming and mapping code to hidden, execute-only memory pages). REARM" will work on COTS (commercial off the shelf) binaries and notrequire any assistance from developers or end users.REARM starts pro"grams with a minimum amount of code pages loaded from executables. When an absent code page is needed during a program execution, RE"ARM checks if the current control flow transfer to that absent page complies with the statically constructed program dependence grap"h. It only loads the page when the check passes. REARM can learn frequently used program features and hot code pages on the fly, and"" then use the knowledge to pre-load heavilydependent code pages in future program runs. In addition, REARM dynamically transforms c""ode being loaded. It maps code into executable-only memory pages, relocates embedded data in such pages, and updates data references"" and symbol information accordingly. This transformation, without breaking program executions or permanently changingexecutable fil""es, protects loaded code (i.e., unremovable code) against exploitations and ROP gadget searches. Our preliminary results show that R""EARM is capable of significantly reducing the amount of code loaded in memory for applications, shared libraries, and kernel drivers"", without interrupting normal program executions. Moreover, REARM can effectively mitigate manipulations and attacks of loaded code.

Document Details

Document Type

DoD Grant Award

Publication Date

Dec 20, 2017

Source ID

N000141812043

Entities

Tags