F-Detector/F-Blocker
F-detector is a system for disabling unwanted features in binary applications. It works by detecting a key control-flow branch in the application that corresponds to the activation of the unwanted feature. F-detector uses execution traces from both user-provided and mutation-produced inputs, in combination with information obtained through static analysis of the application’s binary. F-blocker models the unwanted feature as an unanticipated fault and uses software self-healing to disable it without terminating the application.
ASAN--
AddressSanitizer (ASan) is a powerful memory error detector. It can detect various errors ranging from spatial issues like out-of-bound accesses to temporal issues like use-after-free. However, ASan has the major drawback of high runtime overhead. In order to reduce the overhead, we propose ASan--, a tool assembling a group of optimizations to reduce (or “debloat”) sanitizer checks and improve ASan’s efficiency without harming the capability, scalability, or usability.
Libfilter: Debloating Binary Shared Libraries
Developers today have access to an arsenal of toolkits and libraries for rapid application prototyping. However, when an application loads a library, the entirety of that library’s code is mapped into the address space, even if only a single function is actually needed. The unused portion is bloat that can negatively impact software defenses by unnecessarily inflating their overhead or increasing their attack surface. Libfilter is a tool that uses static analysis to identify the parts of shared libraries that are not required for a binary application to operate. Those parts can be erased to produce debloating libraries. Libfilter implements the algorithms in described in the Nibbler paper on top of the Egalito binary analysis framework.
BlindSide: Hacking Blind in the Spectre Era
BlindSide is a new attack technique that leverages hardware vulnerabilities, like Spectre, to facilitate "blind" attacks against non crash-resistant software. Hardware vulnerabilities enable attackers armed with a single memory corruption vulnerability to compromise the Linux kernel without triggering any crashes. Essentially, BlindSide elevates memory write vulnerabilities to powerful speculative probing primitives, where the attacker leaks information by observing microarchitectural side effects. Moreover, BlindSide is effective even when strong Spectre and randomization defenses have been deployed in the kernel. BLINDSIDE received a Pwnie award.
All You Ever Wanted to Know About x86/x64 Binary Disassembly But Were Afraid to Ask
Disassembly of binary code is hard, but necessary for improving the security of binary software. Over the past few decades, research in binary disassembly has produced many tools and frameworks, which have been made available to researchers and security professionals. These tools employ a variety of strategies that grant them different characteristics. We have systematically studied nine popular, open-source tools. We couple the manual examination of their code bases with the most comprehensive experimental evaluation (thus far) using 3,788 binaries. Our study yields a comprehensive description and organization of strategies for disassembly, classifying them as either algorithm or else heuristic. Meanwhile, we measure and report the impact of individual algorithms on the results of each tool. We find that while principled algorithms are used by all tools, they still heavily rely on heuristics to increase code coverage. Depending on the heuristics used, different coverage-vs-correctness trade-offs come in play, leading to tools with different strengths and weaknesses.
Position-independent Code Reuse (PIROP)
PIROP is a novel exploitation technique that does not require any information disclosure. PIROP involves initially generating a rudimentary ROP payload (for instance, containing code pointers that target instructions "close" to relevant gadgets) by "massaging" memory through interacting with the vulnerable program. Afterwards, the addresses in this payload are patched with small offsets via relative memory writes. PIROP depends on a relative memory-overwrite bug being present, which we can find both in browsers (e.g., Firefox) and servers (e.g., Asterisk). The complexity of PIROP is high, but it significantly lowers the requirements for successful exploitation.
ShrinkWrap - VTV extension for protecting VTables
C++ is a popular, fast, object-oriented (OO) language used to develop some of the most popular software, such as Web browsers, including Chrome and Mozilla. OO languages, such as C++, support run-time method binding, i.e., determining the method to be called based on the run-time type of an object, instead of the static type of the pointer pointing to that object. Modern compilers typically provide this functionality through VTables, which provide an efficient way to call the correct method at run time. Unfortunately, VTables are based on indirect calls, i.e., virtual calls, which is what makes them a prominent target for hijacking the control flow of a program. While multiple source- and binary-based solutions for protecting VTables have been proposed already, we found that in practice they are too conservative, which allows determined attackers to circumvent them. In this paper we delve into the design of C++ VTables and match that knowledge against the now industry standard protection scheme of VTV. We designed a new approach that significantly refines VTV, to offer a provably optimal protection scheme. As we build on top of VTV, we preserve all of its advantages in terms of software compatibility and overhead. Thus, our proposed design comes for free for any user today. Besides the design we also develop a testing methodology, which can be used by future developers to validate their implementations. ShrinkWrap was evaluated using Google Chrome.
Virtual Partitioning
Applications can be logically separated to parts that face different types of threats, or suffer dissimilar exposure to a particular threat because of external events or innate properties of the software. Based on this observation, we propose the virtual partitioning of applications that will allow the selective and targeted application of those protection mechanisms that are most needed on each partition, or manage an application’s attack surface by protecting the most exposed partition. We demonstrate the value of our scheme by introducing a methodology to automatically partition software, based on an intrinsic property such as user authentication. Our approach is able to automatically determine the point where the user authenticates, without access to source code. At runtime, we partition binaries using a binary monitor that utilizes the identified authentication points to split execution to pre- and post-authentications parts, and adapts defenses by switching between protection mechanisms of varied intensity, such as dynamic taint analysis and instruction-set randomization.
Cascading REASSURE
A tool based on Intel's PIN dynamic instrumentation framework that implements software self-healing using rescue points for multi-tier architectures. When an application executing within a RP transmits data, the remote peer is notified to also perform a checkpoint, so the communicating entities checkpoint in a coordinated, but loosely coupled way.
REASSURE
REASSURE is a tool based on Intel's PIN dynamic instrumentation framework that implements software self-healing using rescue points. Rescue points are existing code locations that handle certain anticipated errors in the target application, usually by returning an error code. REASSURE is a self-contained mechanism to enable the use of such rescue points on binary-only software, without any changes in the operating system. REASSURE won best paper award in IWSEC'11, in Tokyo, Japan.
Taint Exchange
A generic cross-process and cross-host taint tracking framework based on Intel's Pin DBI and libdft. It intercepts I/O related system calls to transparently multiplex fine-grained taint information into existing communication channels, like sockets and pipes.
libdft
libdft is a framework based on Intel's PIN dynamic instrumentation framework that provides dynamic data flow tracking (DFT) for x86 binaries. DFT can be used to track data while a program is executing, and powers techniques like Dynamic Taint Analysis (DTA) that can be used to harden software. This work appeared in VEE'12.
ISRuPIN
ISRuPIN is a tool based on Intel's PIN dynamic instrumentation framework that implements instruction-set randomization for x86 binaries in Linux. It is relatively lightweight, and it supports shared libraries and multiple randomization keys. This work appeared in ACSAC'10.
Argos
The Argos secure emulator is a whole system emulator (based on the Qemu emulator) that employs dynamic taint analysis to detect zero-day attacks (such as buffer-overflows, dangling pointers, etc). Argos is primarily used to to host honeypots, and analyze the detected attacks. Our work on Argos was published in EUROSYS’06.
AUTHd: Admission Control Daemon
AUTHd provides authorization services for other services. It can be used to authenticate and authorize entities to perform a set of actions depending on their credentials and a policy.
FFPF
FFPF is an operating system I/O subsystem that minimizes copying and context switching in the Linux kernel. FFPF was published in OSDI’04. FFPF is now Streamline thanks to Willem De Bruijn.