Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Combined Static Analysis and Machine Learning Prediction for Application Debloating (2404.00196v1)

Published 30 Mar 2024 in cs.CR

Abstract: Software debloating can effectively thwart certain code reuse attacks by reducing attack surfaces to break gadget chains. Approaches based on static analysis enable a reduced set of functions reachable at a callsite for execution by leveraging static properties of the callgraph. This achieves low runtime overhead, but the function set is conservatively computed, negatively affecting reduction. In contrast, approaches based on ML have much better precision and can sharply reduce function sets, leading to significant improvement in attack surface. Nevertheless, mispredictions occur in ML-based approaches. These cause overheads, and worse, there is no clear way to distinguish between mispredictions and actual attacks. In this work, we contend that a software debloating approach that incorporates ML-based predictions at runtime is realistic in a whole application setting, and that it can achieve significant attack surface reductions beyond the state of the art. We develop a framework, Predictive Debloat with Static Guarantees (PDSG). PDSG is fully sound and works on application source code. At runtime it predicts the dynamic callee set emanating from a callsite, and to resolve mispredictions, it employs a lightweight audit based on static invariants of call chains. We deduce the invariants offline and assert that they hold at runtime when there is a misprediction. To the best of our knowledge, it achieves the highest gadget reductions among similar techniques on SPEC CPU 2017, reducing 82.5% of the total gadgets on average. It triggers misprediction checks on only 3.8% of the total predictions invoked at runtime, and it leverages Datalog to verify dynamic call sequences conform to the static call relations. It has an overhead of 8.9%, which makes the scheme attractive for practical deployments.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (65)
  1. Control-flow integrity. In Vijay Atluri, Catherine A. Meadows, and Ari Juels, editors, Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, Alexandria, VA, USA, November 7-11, 2005, pages 340–353. ACM, 2005.
  2. Lightweight, multi-stage, compiler-assisted application specialization. In 7th IEEE European Symposium on Security and Privacy, EuroS&P 2022, Genoa, Italy, June 6-10, 2022, pages 251–269. IEEE, 2022.
  3. Binrec: dynamic binary lifting and recompilation. In Angelos Bilas, Kostas Magoutis, Evangelos P. Markatos, Dejan Kostic, and Margo I. Seltzer, editors, EuroSys ’20: Fifteenth EuroSys Conference 2020, Heraklion, Greece, April 27-30, 2020, pages 36:1–36:16. ACM, 2020.
  4. Survey of code-size reduction methods. ACM Comput. Surv., 35(3):223–267, September 2003.
  5. Software bloat and wasted joules: Is modularity a hurdle to green software? Computer, 44(9):97–101, 2011.
  6. Jump-oriented programming: a new class of code-reuse attack. In Bruce S. N. Cheung, Lucas Chi Kwong Hui, Ravi S. Sandhu, and Duncan S. Wong, editors, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, Hong Kong, China, March 22-24, 2011, pages 30–40. ACM, 2011.
  7. Pre-built jop chains with the jop rocket: Bypassing dep without rop. https://i.blackhat.com/asia-21/Thursday-Handouts/as-21-Brizendine-Babcock-Prebuilt-Jop-Chains-With-The-Jop-Rocket-wp.pdf, 2021. Accessed: 2022 Jun 06.
  8. Is less really more? towards better metrics for measuring security improvements realized through software debloating. In Rob Jansen and Peter A. H. Peterson, editors, 12th USENIX Workshop on Cyber Security Experimentation and Test, CSET 2019, Santa Clara, CA, USA, August 12, 2019. USENIX Association, 2019.
  9. Not so fast: understanding and mitigating negative impacts of compiler optimizations on code reuse gadget sets. Proc. ACM Program. Lang., 5(OOPSLA):1–30, 2021.
  10. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Conference on Security Symposium, SEC’15, pages 161–176, Berkeley, CA, USA, 2015. USENIX Association.
  11. Return-oriented programming without returns. In Ehab Al-Shaer, Angelos D. Keromytis, and Vitaly Shmatikov, editors, Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4-8, 2010, pages 559–572. ACM, 2010.
  12. Jonathan Corbet. Indirect branch tracking for intel cpus. https://lwn.net/Articles/889475/, 2022. Accessed: 2022 Oct 21.
  13. Compiler techniques for code compaction. ACM Trans. Program. Lang. Syst., 22(2):378–415, March 2000.
  14. Efficient protection of path-sensitive control security. In Engin Kirda and Thomas Ristenpart, editors, 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017, pages 131–148. USENIX Association, 2017.
  15. How much does unused code matter for maintenance? In Martin Glinz, Gail C. Murphy, and Mauro Pezzè, editors, 34th International Conference on Software Engineering, ICSE 2012, June 2-9, 2012, Zurich, Switzerland, pages 1102–1111. IEEE Computer Society, 2012.
  16. XFI: software guards for system address spaces. In Brian N. Bershad and Jeffrey C. Mogul, editors, 7th Symposium on Operating Systems Design and Implementation (OSDI ’06), November 6-8, Seattle, WA, USA, pages 75–88. USENIX Association, 2006.
  17. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, pages 901–913, New York, NY, USA, 2015. ACM.
  18. Slim binaries. Commun. ACM, 40(12):87–94, December 1997.
  19. GRIFFIN: guarding control flows using intel processor trace. In Yunji Chen, Olivier Temam, and John Carter, editors, Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2017, Xi’an, China, April 8-12, 2017, pages 585–598. ACM, 2017.
  20. Effective program debloating via reinforcement learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, pages 380–394, New York, NY, USA, 2018. ACM.
  21. The Art of Lean Software Development. O’Reilly, 2009.
  22. Long short-term memory. Neural computation, 9:1735–80, 12 1997.
  23. Enforcing unique code target property for control-flow integrity. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, pages 1470–1486, New York, NY, USA, 2018. ACM.
  24. Origin-sensitive control flow integrity. In Nadia Heninger and Patrick Traynor, editors, 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019, pages 195–211. USENIX Association, 2019.
  25. Adaptive call-site sensitive control flow integrity. In IEEE European Symposium on Security and Privacy, EuroS&P 2019, Stockholm, Sweden, June 17-19, 2019, pages 95–110. IEEE, 2019.
  26. Binrec: Attack surface reduction through dynamic binary recovery. In Proceedings of the 2018 Workshop on Forming an Ecosystem Around Software Transformation, FEAST ’18, page 8–13, New York, NY, USA, 2018. Association for Computing Machinery.
  27. Code-pointer integrity. In Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation, OSDI’14, pages 147–163, Berkeley, CA, USA, 2014. USENIX Association.
  28. Poster : Getting the point (er) : On the feasibility of attacks on code-pointer integrity. 2015.
  29. Finding cracks in shields: On the security of control flow integrity mechanisms. In Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna, editors, CCS ’20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9-13, 2020, pages 1821–1835. ACM, 2020.
  30. Microsoft. Control flow guard for platform security. https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard, 2022. Accessed: 2022 Oct 21.
  31. Making sense of large heaps. In Sophia Drossopoulou, editor, ECOOP 2009 - Object-Oriented Programming, 23rd European Conference, Genoa, Italy, July 6-10, 2009. Proceedings, volume 5653 of Lecture Notes in Computer Science, pages 77–97. Springer, 2009.
  32. Four trends leading to java runtime bloat. IEEE Software, 27(1):56–63, 2010.
  33. The causes of bloat, the limits of health. In Richard P. Gabriel, David F. Bacon, Cristina Videira Lopes, and Guy L. Steele Jr., editors, Proceedings of the 22nd Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2007, October 21-25, 2007, Montreal, Quebec, Canada, pages 245–260. ACM, 2007.
  34. Alto: A link-time optimizer for the compaq alpha. Softw. Pract. Exper., 31(1):67–101, January 2001.
  35. Nergal. The advanced return-into-lib(c) exploits: Pax case study. phrack magazine. http://phrack.org/issues/58/4.html, 2001. Accessed: 2021 Oct 10.
  36. Valgrind: A framework for heavyweight dynamic binary instrumentation. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’07, pages 89–100, New York, NY, USA, 2007. ACM.
  37. Modular control-flow integrity. In Michael F. P. O’Boyle and Keshav Pingali, editors, ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14, Edinburgh, United Kingdom - June 09 - 11, 2014, pages 577–587. ACM, 2014.
  38. Pinpointing representative portions of large intel #174; itanium #174; programs with dynamic instrumentation. In Microarchitecture, 2004. MICRO-37 2004. 37th International Symposium on, pages 81–92, Dec 2004.
  39. Decker: Attack surface reduction via on-demand code mapping. In Tor M. Aamodt, Natalie D. Enright Jerger, and Michael M. Swift, editors, Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2, ASPLOS 2023, Vancouver, BC, Canada, March 25-29, 2023, pages 192–206. ACM, 2023.
  40. Blankit library debloating: getting what you want instead of cutting what you don’t. In Alastair F. Donaldson and Emina Torlak, editors, Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, June 15-20, 2020, pages 164–180. ACM, 2020.
  41. RAZOR: A framework for post-deployment software debloating. In Nadia Heninger and Patrick Traynor, editors, 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019, pages 1733–1750. USENIX Association, 2019.
  42. Slimium: Debloating the chromium browser with feature subsetting. In Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna, editors, CCS ’20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9-13, 2020, pages 461–476. ACM, 2020.
  43. A multi-os cross-layer study of bloating in user programs, kernel and managed execution environments. In Taesoo Kim, Cliff Wang, and Dinghao Wu, editors, Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation, FEAST@CCS 2017, Dallas, TX, USA, November 3, 2017, pages 65–70. ACM, 2017.
  44. Debloating software through piece-wise compilation and loading. In 27th USENIX Security Symposium (USENIX Security 18), pages 869–886, Baltimore, MD, 2018. USENIX Association.
  45. Ropgadget v5.4. https://github.com/JonathanSalwan/ROPgadget, 2018. Accessed: 2021 Oct 10.
  46. Pure-call oriented programming (PCOP): chaining the gadgets using call instructions. J. Comput. Virol. Hacking Tech., 14(2):139–156, 2018.
  47. Morten Schenk. Bypassing control flow guard in windows 10. https://improsec.com/tech-blog/bypassing-control-flow-guard-in-windows-10.
  48. Sascha Schirra. Ropper. https://github.com/sashs/ropper, 2021. Accessed: 2021 Sept 10.
  49. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015, pages 745–762. IEEE Computer Society, 2015.
  50. Using valgrind to detect undefined value errors with bit-precision. In Proceedings of the 2005 USENIX Annual Technical Conference, April 10-15, 2005, Anaheim, CA, USA, pages 17–30. USENIX, 2005.
  51. Hovav Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Peng Ning, Sabrina De Capitani di Vimercati, and Paul F. Syverson, editors, Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, October 28-31, 2007, pages 552–561. ACM, 2007.
  52. Security analysis of processor instruction set architecture for enforcing control-flow integrity. In Proceedings of the 8th International Workshop on Hardware and Architectural Support for Security and Privacy, HASP ’19, New York, NY, USA, 2019. Association for Computing Machinery.
  53. TRIMMER: application specialization for code debloating. In Marianne Huchard, Christian Kästner, and Gordon Fraser, editors, Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, ASE 2018, Montpellier, France, September 3-7, 2018, pages 329–339. ACM, 2018.
  54. How to survive the hardware-assisted control-flow integrity enforcement. https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Sun-How-to-Survive-the-Hardware-Assisted-Control-Flow-Integrity-Enforcement.pdf, 2019. Accessed: 2022 Jun 06.
  55. Sam Thomas. Object oriented exploitation: New techniques in windows mitigation bypass. https://www.slideshare.net/_s_n_t/object-oriented-exploitation-new-techniques-in-windows-mitigation-bypass.
  56. On the expressiveness of return-into-libc attacks. In Robin Sommer, Davide Balzarotti, and Gregor Maier, editors, Recent Advances in Intrusion Detection, pages 121–141, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg.
  57. Practical context-sensitive CFI. In Indrajit Ray, Ninghui Li, and Christopher Kruegel, editors, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015, pages 927–940. ACM, 2015.
  58. A tough call: Mitigating advanced code-reuse attacks at the binary level. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016, pages 934–953. IEEE Computer Society, 2016.
  59. Return flow guard. https://xlab.tencent.com/en/2016/11/02/return-flow-guard/, 2016. Accessed: 2022 Oct 21.
  60. Studying and understanding the tradeoffs between generality and reduction in software debloating. In 37th IEEE/ACM International Conference on Automated Software Engineering, ASE 2022, Rochester, MI, USA, October 10-14, 2022, pages 99:1–99:13. ACM, 2022.
  61. Detecting inefficiently-used containers to avoid bloat. In Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’10, pages 160–173, New York, NY, USA, 2010. ACM.
  62. Guoqing (Harry) Xu. Finding reusable data structures. In Gary T. Leavens and Matthew B. Dwyer, editors, Proceedings of the 27th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2012, part of SPLASH 2012, Tucson, AZ, USA, October 21-25, 2012, pages 1017–1034. ACM, 2012.
  63. Finding low-utility data structures. In Benjamin G. Zorn and Alexander Aiken, editors, Proceedings of the 2010 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2010, Toronto, Ontario, Canada, June 5-10, 2010, pages 174–186. ACM, 2010.
  64. Software bloat analysis: finding, removing, and preventing performance problems in modern large-scale object-oriented applications. In Gruia-Catalin Roman and Kevin J. Sullivan, editors, Proceedings of the Workshop on Future of Software Engineering Research, FoSER 2010, at the 18th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2010, Santa Fe, NM, USA, November 7-11, 2010, pages 421–426. ACM, 2010.
  65. Zhang Yunha. Bypass control flow guard comprehensively. https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now