Improving Systems Security through Attack Surface Reduction and Execution Transparency
University:Department of Computer Science at Stevens Institute of Technology
Systems security is of critical importance today more than ever.
Through the years, defenses, such as address space layout randomization,
data-execution prevention, and stack and heap protections have
significantly raised the bar for attackers, making software exploitation
hard. However, attacks have also evolved to a new level of
sophistication, combining multiple vulnerabilities to launch code-reuse
attacks that “re-purpose” existing code to execute arbitrary
computations. Unfortunately, even small applications tend to include
large quantities of code that attackers can use, due to the use of
shared libraries, which are included in their entirety even if a single
function is used by the developer.
In the first part of my talk, I will present our work on reducing the
attack surface of applications by removing code that is not used by the
application. Our approach aims to operate on binary software deployed on
the majority of server and desktop Linux systems that heavily relies on
shared libraries. During the talk, I will discuss the challenges
involved in reconstructing a conservative function-call graph that can
be used to identify and delete unused library code, as well as future
directions in attack surface reduction.
In the second part, I will talk about our work on an efficient
information-flow tracking system that utilizes parallelism, hardware
debugging extensions, and code optimization. Information-flow tracking
is a powerful primitive that increases execution transparency by
revealing how a data are used by a program. It has many applications as
it can be used to prevent attacks code-reuse attacks, data leaks,
perform forensics on compromised systems, etc. Unfortunately, it
exhibits large overheads which currently disqualify it from deployment
on production systems. Our current works aims to develop a very low
overhead system that will make the technique a commodity.