Workshop Program
- Registration desk open
- Registration desk open
- Breakfast
- Opening Session and Invited Talk 1
-
Opening Session
Mayur Naik (University of Pennsylvania) and Yan Shoshitaishvili (Arizona State University)
-
Invited Talk 1: System Debloating via Compile-time Configuration and Hybrid Binary Rewriting
Hong Hu (Georgia Institute of Technology)
Abstract: Current practice of software development leads to bloated programs with excessive features unneeded by end users. In this talk, I will present our recent work on debloating system kernels and user space programs. For the system kennel, we examine the effectiveness of debloating through compile-time configuration. We figure out that existing configuration system provides a convenient mechanism to reduce the attack surface, but requires fine-grained configurations for flexible debloating. For user space applications without a well-defined configuration system, we build a binary rewriting framework to remove unnecessary functionalities and insert security checks. Our method utilizes dynamic instrumentation to reliably collect execution traces, and relies on the static instrumentation to avoid expensive runtime overhead. At the end of the talk, I will discuss the relationships between software debloating and other defense mechanisms, like control-flow integrity and software-based fault isolation.
Bio: Dr. Hong Hu is a postdoctoral fellow in the School of Computer Science, College of Computing, the Georgia Institute of Technology. He received his Ph.D. degree in computer science from the National University of Singapore in 2016, and his B.E. degree in information security from the Huazhong University of Science and Technology in 2011. His main research area is system security, focusing on detecting memory errors from C/C++ programs, exploring new attack vectors and developing defense mechanisms to prevent exploits. His work has appeared in top venues in system security (USENIX Security, IEEE Security and Privacy, CCS, ICECCS and ESORICS). He received the Best Paper Award from ICECCS 2014.
- Coffee Break
- Technical Session 1 - Binary Analysis and Transformation
-
Clone-Slicer: Detecting Domain Specific Binary Code Clones through Program Slicing
Hongfa Xue (George Washington University); Guru Venkataramani (George Washington University); Tian Lan (George Washington University)
-
Abstract:
Detecting code clones is important for various software engineering development and debugging tasks. In particular, binary code clone detection can have significant uses in the context of legacy applications that are already deployed in several critical domains. In this paper, we present an novel framework, Clone-Slicer, for identifying domain-specific binary code clones (e.g., pointer-related code) through program slicing. Our approach first eliminates non-domain-related instructions through program slicing, and then applies deep learning-based algorithm to model code samples as numerical vectors for the remaining binary instructions. We then use clustering algorithms to aggregate code clones, and use formal analysis to verify validity of code clones. Our experimental results show the Clone-Slicer can swiftly identify up tp 43.64\% code clones and cut the time-to-solution by 32.96\% compared to previously proposed code clone detectors.
-
-
BinRec: Attack Surface Reduction Through Dynamic Binary Recovery
Taddeus Kroes (Vrije Universiteit Amsterdam); Anil Altinay (University of California, Irvine); Joseph Nash (University of California, Irvine); Yeoul Na (University of California, Irvine); Stijn Volckaert (University of California, Irvine); Herbert Bos (Vrije Universiteit Amsterdam); Michael Franz (University of California, Irvine); Cristiano Giuffrida (Vrije Universiteit Amsterdam)
-
Abstract:
Compile-time specialization and feature pruning through static binary rewriting have been proposed repeatedly as techniques for reducing the attack surface of large programs, and for minimizing the trusted computing base. We propose a new approach to attack surface reduction: dynamic binary lifting and recompilation. We present BinRec, a binary recompilation framework that lifts binaries to a compiler-level intermediate representation (IR) to allow complex transformations on the captured code. After transformation, BinRec lowers the IR back to a “recovered” binary, which is semantically equivalent to the input binary, but does have its unnecessary features removed. Unlike existing approaches, which are mostly based on static analysis and rewriting, our framework analyzes and lifts binaries dynamically. The crucial advantage is that we can not only observe the full program including all of its dependencies, but we can also determine which program features the end-user actually uses. We evaluate the correctness and performance of BinRec, and show that our approach enables aggressive pruning of unwanted features in COTS binaries.
-
-
Towards Interface-Driven COTS Binary Hardening
Xiaoyang Xu (University of Texas at Dallas); Wenhao Wang (University of Texas at Dallas); Kevin W. Hamlen (University of Texas at Dallas); Zhiqiang Lin (Ohio State University)
-
Abstract:
This paper considers the problem of hardening COTS binary software products (e.g., via control-flow integrity and/or software fault isolation defenses) in contexts where the surrounding software environment includes closed-source, unmodifiable, and possibly obfuscated binary components, such as system libraries, OS kernels, and virtualization layers. We demonstrate that many code hardening algorithms, when applied only to the user-level software products in such environments, leave open critical vulnerabilities that arise from mismatches between the application-agnostic security policies enforced by the system modules versus the application-specific policies enforced at the application layer. To overcome this problem, we propose a modular approach for hardening application-level software in such environments without the need to harden all other software in the environment with exactly the same protection strategy or policies. Our approach embeds application-level protections within objects shared by interoperating modules. Modules that obey their interface specifications therefore receive an appropriate granularity of protection automatically when they invoke shared object methods. Our experiences of developing and refining this approach for Microsoft Windows environments is discussed.
-
- Lunch
-
Invited Talk 2: Hiding PIN's Artifacts to Defeat Evasive Malware
Mario Polino (Politecnico di Milano)
Abstract: Malware authors constantly develop new techniques in order to evade analysis systems. Previous works addressed attempts to evade analysis by means of anti-sandboxing and anti-virtualization techniques, for example proposing to run samples on bare-metal. However, state-of-the-art bare-metal tools fail to provide richness and completeness in the results of the analysis. In this context, Dynamic Binary Instrumentation (DBI) tools have become popular in the analysis of new malware samples because of the deep control they guarantee over the instrumented binary. In fact, in some specific scenarios (e.g., manual and automated reverse engineering) we need to fully monitor and control the analyzed binary. As a consequence, malware authors developed new techniques, called anti-instrumentation, aimed at detecting if a sample is being instrumented. Such techniques look at the artifacts produced during the instrumentation process and leverage some intrinsic characteristics of a DBI tool. We propose a practical approach to make DBI tools stealthier and resilient against anti-instrumentation attacks. We studied the common techniques used by malware to detect the presence of a DBI tool, and we proposed a set of countermeasures to defeat them. We implemented our approach in Arancino, on top of the Intel Pin framework. Arancino is able to hide Pin's artifacts making hard for malware to spot its presence. In order to achieve this, we leverage the power of DBI tools to fully control the execution flow of the instrumented process. This allows us to detect and dismantle possible evasion attempts. We tested our system against eXait, a tool containing a set of plugins that aim at detecting when a program is instrumented by Intel Pin, showing that Arancino is able to hide Intel Pin, allowing the analysis of evasive binaries. Armed with Arancino, we then performed a large-scale measurement of the anti-instrumentation techniques employed by modern malware. We collected and analyzed 7,006 malware samples, monitoring the evasive behaviors that triggered our system, hence studying the common techniques adopted by modern malware authors to perform evasion of instrumentation systems.
Bio: Mario Polino received his Ph.D. from Politecnico di Milano in Italy, working at NECST laboratory as part of the Computer Security group inside Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB). His main research revolve around malware analysis with a specific attention on behavioral analysis to assist malware analysts. He is interested in various computer security topics, and has worked on several topics ranging from cyber-physical systems to static binary analysis, going through Bank Fraud Analysis and Android Security. He loves playing Capture the Flag competitions, so he spend his free time playing.
- Technical Session 2 - Security Hardening of Networked Systems
-
Making Break-ups Less Painful: Source-level Support for Transforming Legacy Software into a Network of Tasks
Nik Sultana (University of Pennsylvania); Achala Rao (University of Pennsylvania); Zihao Jin (Tsinghua University); Pardis Pashakhanloo (University of Pennsylvania); Henry Zhu (University of Pennsylvania); Ke Zhong (Shanghai Jiao Tong University); Boon Thau Loo (University of Pennsylvania)
-
Abstract:
“Breaking up” software into a dataflow network of tasks can improve availability and performance by exploiting the flexibility of the resulting graph, more granular resource use, hardware concurrency and modern interconnects. Decomposing legacy systems in this manner is difficult and ad hoc however, raising such challenges as weaker consistency and potential data races. Thus it is difficult to build on battle-tested legacy systems. We propose a paradigm and supporting tools for developers to recognize task-level modularity opportunities in software. We use the Apache web server as an example of legacy software to test our ideas. This is a stepping stone towards realizing a vision where automated decision-support tools assist in the decomposition of systems to improve the reuse of components, meet performance targets or exploit new hardware devices and topologies.
-
-
TOSS: Tailoring Online Server Systems through Binary Feature Customization
Yurong Chen (George Washington University); Shaowen Sun (George Washington University); Tian Lan (George Washington University); Guru Venkataramani (George Washington University)
-
Abstract:
Network-based models are increasingly adopted to deliver key software service and utilities (e.g., data storage, search, and processing) to end users. The need to satisfy diverse user requirements and to fit different application environment often leads to continual expansion and addition of new (and in many cases excessive) features, known as the feature creep problem. Existing work mitigating feature bloat often either debloats programs at source code level (which may not always be available, in particular for legacy systems) or customize binary only with respect to very limited scope of inputs. In this paper, we propose a new approach, TOSS , for automated customization of online servers and software systems, which are implemented using a client-server architecture based on the underlying network protocols. Specifically, TOSS harnesses program tracing and tainting-guided symbolic execution to identify desired (feature-related) code from the original program binary, and apply static binary rewriting to remove redundant features and directly create customized program binary with only desired features. We implement a prototype of TOSS and evaluate its feasibility using real-world executables including Mosquitto, which relies on the Message Queuing Telemetry Transport (MQTT) protocol for lightweight Internet of Things (IoT) communications. The results show that TOSS is able to create a functional program binary with only desired features and significantly reduce potential attack surface by eliminating undesired protocol/program features.
-