Workshop Program

Abstract:

When applying patches, or dealing with legacy software, users are often reluctant to change the production executables for fear of unwanted side effects. This results in many active systems running vulnerable or buggy code even though the problems have already been identified and resolved by developers. Furthermore when dealing with old or proprietary software, users can't view or compile source code so any attempts to change the application after distribution requires binary level manipulation. We present a new technique we call binary quilting that allows users to apply the minimum required patch such that production software can be patched preserving existing core semantics without fear of unwanted side effects introduced either by the build process or by additional code changes. Unlike hot patching binary quilting is a one time procedure that creates an entirely new reusable binary. Our case studies show the efficacy of this technique on real software in real patching scenarios.

Abstract:

When a software transformation or software security task needs to analyze or operate on a given program binary, the first step is often disassembly. Since many modern disassemblers have become highly accurate on many binaries, we believe reliable disassembler benchmarking requires standardizing (i) the set of binaries used and (ii) the disassembly ground truth about these binaries. This work proposes a first version of our work-in-progress disassembly benchmark suite, which comprises 879 binaries from diverse projects compiled with multiple compilers and optimization settings. We start by presenting a novel disassembly ground truth generator that relies on “listing files”, with broad support of clang, gcc, icc, and msvc. Then we use our benchmark suite and our custom evaluation system to evaluate 4 prominent open-source disassemblers. Our entire system and all generated data are maintained openly on GitHub to encourage community adoption.

Abstract:

With the increasing popularity of multicore processors and multi-thread languages/frameworks, race conditions -- which are non-deterministic by nature -- are becoming a main root cause for concurrency bugs. It opens doors to malicious attacks such as remote code execution and denial of service attacks, potentially putting millions of users in danger. Yet, such non-deterministic racing conditions are often difficult to identify or reproduce in standard program testing. In this paper, we focus on the Garbage-Collection (GC) feature, which is known to be a frequent victim of concurrency bugs in many software systems. We develop a new approach to facilitate the testing of GC-related bugs through critical condition restoration. In particular, we propose a risk-score mechanism to quantify the risk of GC-related bugs in target functions and leverage the score to select appropriate testing parameters and garbage generation strategy, with a higher chance of producing the critical condition. Our experimental results show that the proposed approach could significantly improve the probability of finding GC-related bugs (from 0 in condition-oblivious testing to 14.8 bugs identified in our experiment) while incurring only around 26% execution overhead.

Abstract:

Static binary instrumentation tools have been facing deployability concerns. One of the major cause of concern is compatibility with C++ exception handling and stack tracing. Although contemporary works identify this as an engineering challenge, there has been no strudy to fully understand the impact of exception handling compatibility on the instrumentation process. To support exception handling compilers generate additional metadata. This metadata can serve as a rich source of information regarding code layout and can simplify various aspects of instrumentation process. In this paper, we show that by exploiting the exception handling metadata, it is possible to achieve 0 false positive in function identification. This paper also evaluates the security implications of this metadata. Attackers can exploit this metadata to gain leverage against code randomization based security hardening techniques.

Abstract:

Common vulnerabilities and exposures (CVE) usually exploit design or implementation flaws of specific features in widely used network protocols, causing serious security and safety threats on full-scale devices and systems. Feature isolation as a general protocol customization practice is shown to be highly promising to reduce attack surfaces in these protocols. In this ongoing work, we propose a systematic approach to achieve automatic feature isolation using various program analysis based techniques. Specifically, we present two methods targeting different feature granularity to automatically identify and remove unnecessary features in a software protocol implementation. In addition, we develop a semantic reconstruction mechanism to enforce user-specified feature access control policies. Preliminary case studies confirm that our proposed techniques can be effectively applied on real-world protocol vulnerabilities.

Abstract:

This paper presents an approach for remotely accessing and controlling mobile apps by leveraging a mobile platform's publicly exported accessibility features. This approach is implemented in a technique and accompanying tool called . While is designed to be platform-independent, our current implementation has focused on iOS, the significantly more challenging of the two dominant mobile platforms, for which access to apps' source code is generally not possible. We show that places no restrictions on apps it can ``plug into'' and control, is able to handle a variety of scenarios, and imposes a negligible performance overhead.