Vidya Lakshmi Rajagopalan,Konstantinos Kleftogiorgos,Enes Göktaş,Jun Xu,Georgios Portokalidis

DOI: https://doi.org/10.48550/arXiv.2309.05169

2023-09-27

Abstract:Restricting the system calls available to applications reduces the attack surface of the kernel and limits the functionality available to compromised applications. Recent approaches automatically identify the system calls required by programs to block unneeded ones. For servers, they even consider different phases of execution to tighten restrictions after initialization completes. However, they require access to the source code for applications and libraries, depend on users identifying when the server transitions from initialization to serving clients, or do not account for dynamically-loaded libraries. This paper introduces SYSPART, an automatic system-call filtering system designed for binary-only server programs that addresses the above limitations. Using a novel algorithm that combines static and dynamic analysis, SYSPART identifies the serving phases of all working threads of a server. Static analysis is used to compute the system calls required during the various serving phases in a sound manner, and dynamic observations are only used to complement static resolution of dynamically-loaded libraries when necessary. We evaluated SYSPART using six popular servers on x86-64 Linux to demonstrate its effectiveness in automatically identifying serving phases, generating accurate system-call filters, and mitigating attacks. Our results show that SYSPART outperforms prior binary-only approaches and performs comparably to source-code approaches.

Cryptography and Security

Qiang Zeng,Zhi Xin,Dinghao Wu,Peng Liu,Bing Mao

2013-01-01

Abstract:The system call interface defines the services an operating system kernel provides to user space programs. An operating system usually provides a uniform system call interface to all user programs, while in practice no programs utilize the whole set of the system calls. Existing system call based sandboxing and intrusion detection systems focus on confining program behavior using sophisticated finite state or pushdown automaton models. However, these automata generally incur high false positives when modeling program behavior such as signal handling and multithreading, and the runtime overhead is usually significantly high. We propose to use a stateless model, a whitelist of system calls needed by the target program. Due to the simplicity we are able to construct the model via static analysis on the program’s binary with much higher precision that incurs few false positives. We argue that this model is not “trivial” as stated by Wagner and Dean. We have validated this hypothesis on a set of common benign benchmark programs against a set of real-world shellcode, and shown that this simple model is, instead, very effective in preventing exploits. The model, encoded as an per-process tailored system call table, incurs virtually no runtime overhead, and should be practical to be deployed to enhance application and system security.

Elazar Gershuni,Nadav Amit,Arie Gurfinkel,Nina Narodytska,Jorge A. Navas,Noam Rinetzky,Leonid Ryzhyk,Mooly Sagiv

DOI: https://doi.org/10.1145/3314221.3314590

2019-06-08

Abstract:Extended Berkeley Packet Filter (eBPF) is a Linux subsystem that allows safely executing untrusted user-defined extensions inside the kernel. It relies on static analysis to protect the kernel against buggy and malicious extensions. As the eBPF ecosystem evolves to support more complex and diverse extensions, the limitations of its current verifier, including high rate of false positives, poor scalability, and lack of support for loops, have become a major barrier for developers. We design a static analyzer for eBPF within the framework of abstract interpretation. Our choice of abstraction is based on common patterns found in many eBPF programs. We observed that eBPF programs manipulate memory in a rather disciplined way which permits analyzing them successfully with a scalable mixture of very-precise abstraction of certain bounded regions with coarser abstractions of other parts of the memory. We use the Zone domain, a simple domain that tracks differences between pairs of registers and offsets, to achieve precise and scalable analysis. We demonstrate that this abstraction is as precise in practice as more costly abstract domains like Octagon and Polyhedra. Furthermore, our evaluation, based on hundreds of real-world eBPF programs, shows that the new tool generates no more false alarms than the existing Linux verifier, while it supports a wider class of programs (including programs with loops) and has better asymptotic complexity.

Jayanthi Ramamoorthy,Khushi Gupta,Ram C. Kafle,Narasimha K. Shashidhar,Cihan Varol

DOI: https://doi.org/10.3390/electronics13152906

IF: 2.9

2024-07-24

Electronics

Abstract:The proliferation of Internet of Things (IoT) devices on Linux platforms has heightened concerns regarding vulnerability to malware attacks. This paper introduces a novel approach to investigating the behavior of Linux IoT malware by examining syscalls and library syscall wrappers extracted through static analysis of binaries, as opposed to the conventional method of using dynamic analysis for syscall extraction. We rank and categorize Linux system calls based on their security significance, focusing on understanding malware intent without execution. Feature analysis of the assigned syscall categories and risk ranking is conducted with statistical tests to validate their effectiveness and reliability in differentiating between malware and benign binaries. Our findings demonstrate that potential threats can be reliably identified with an F1 score of 96.86%, solely by analyzing syscalls and library syscall wrappers. This method can augment traditional static analysis, providing an effective preemptive measure to enhance Linux malware analysis. This research highlights the importance of static analysis in strengthening IoT systems against emerging malware threats.

engineering, electrical & electronic,computer science, information systems,physics, applied

J. Vadayath,Kyle Zeng,Christophe Hauser,Ruoyu Wang,Y. Fratantonio,Tiffany Bao,Adam Doupé,Nicolaas Weideman,Yan Shoshitaishvili,Moritz Eckert,Gokulkrishna Praveen Menon,D. Balzarotti

Abstract:In spite of their effectiveness in the context of vulnerability discovery, current state-of-the-art binary program analysis approaches are limited by inherent trade-offs between accuracy and scalability. In this paper, we identify a set of vulnerability properties that can aid both static and dynamic vulnerability detection techniques, improving the precision of the former and the scalability of the latter. By carefully integrating static and dynamic techniques, we detect vulnerabilities that exhibit these properties in real-world programs at a large scale. We implemented our technique, making several advancements in the analysis of binary code, and created a prototype called A RBITER . We demonstrate the effectiveness of our approach with a large-scale evaluation on four common vulnerability classes: CWE-131 (Incorrect Calculation of Buffer Size), CWE-252 (Unchecked Return Value), CWE-134 (Un-controlled Format String), and CWE-337 (Predictable Seed in Pseudo-Random Number Generator). We evaluated our approach on more than 76,516 x86-64 binaries in the Ubuntu repositories and discovered new vulnerabilities, including a flaw inserted into programs during compilation.

Computer Science

Quan Zhang,Chijin Zhou,Yiwen Xu,Zijing Yin,Mingzhe Wang,Zhuo Su,Chengnian Sun,Yu Jiang,Jiaguang Sun

DOI: https://doi.org/10.1145/3622842

2023-01-01

Proceedings of the ACM on Programming Languages

Abstract:Attack surface reduction is a security technique that secures the operating system by removing the unnecessary code or features of a program. By restricting the system calls that programs can use, the system call sandbox is able to reduce the exposed attack surface of the operating system and prevent attackers from damaging it through vulnerable programs. Ideally, programs should only retain access to system calls they require for normal execution. Many researchers focus on adopting static analysis to automatically restrict the system calls for each program. However, these methods do not adjust the restriction policy along with program execution. Thus, they need to permit all system calls required for program functionalities. We observe that some system calls, especially security-sensitive ones, are used a few times in certain stages of a program’s execution and then never used again. This motivates us to minimize the set of required system calls dynamically. In this paper, we propose , which gradually disables access to unnecessary system calls throughout the program’s execution. To accomplish this, we utilize partial order analysis to transform the program into a partially ordered graph, which enables efficient identification of the necessary system calls at any given point during program execution. Once a system call is no longer required by the program, can restrict it immediately. To evaluate , we applied it to seven widely-used programs with an average of 615 KLOC, including web servers and databases. With partial order analysis, restricts an average of 23.50, 16.86, and 15.89 more system calls than the state-of-the-art Chestnut, Temporal Specialization, and the configuration-aware sandbox, C2C, respectively. For mitigating malicious exploitations, on average, defeats 83.42% of 1726 exploitation payloads with only a 5.07% overhead.

Erzhou Zhu,Peng Wen,Kanqi Ni,Ruhui Ma

DOI: https://doi.org/10.1016/j.cose.2019.05.018

IF: 5.105

2019-01-01

Computers & Security

Abstract:With the increasing availability of the computational power and constraint solving technology, the symbolic execution technology has regained interest in recent years. However, it still suffers from state explosion and low efficiency issues due to the large number of paths that need to be analyzed and the complexity of the constraints generated. Meanwhile, most of the present symbolic execution techniques are working on the source code, but the source code of most software is hard to acquire in practice. In order to cope with these issues, this paper presents BinSE, a lightweight dynamic symbolic execution framework for analyzing x86 binary programs. The framework adapts the dynamic analysis model, which combines symbolic execution with concrete execution to simplify the complexity of the path conditions. Furthermore, the hierarchical backward program slicing and the revised irrelevant API filtration mechanisms are introduced to optimize the performance of the framework. According to the experimental results, the proposed framework is efficient and can cover almost all the effective paths of the target program. Meanwhile, it also holds a promise to provide novel solutions to a broad spectrum of security problems. To demonstrate our technique, we apply the framework to detect buffer overflow vulnerability from binary executables.

Zhuo Zhang,Wei You,Guanhong Tao,Guannan Wei,Yonghwi Kwon,Xiangyu Zhang

DOI: https://doi.org/10.1145/3360563

2019-01-01

Proceedings of the ACM on Programming Languages

Abstract:Binary program dependence analysis determines dependence between instructions and hence is important for many applications that have to deal with executables without any symbol information. A key challenge is to identify if multiple memory read/write instructions access the same memory location. The state-of-the-art solution is the value set analysis (VSA) that uses abstract interpretation to determine the set of addresses that are possibly accessed by memory instructions. However, VSA is conservative and hence leads to a large number of bogus dependences and then substantial false positives in downstream analyses such as malware behavior analysis. Furthermore, existing public VSA implementations have difficulty scaling to complex binaries. In this paper, we propose a new binary dependence analysis called BDA enabled by a randomized abstract interpretation technique. It features a novel whole program path sampling algorithm that is not biased by path length, and a per-path abstract interpretation avoiding precision loss caused by merging paths in traditional analyses. It also provides probabilistic guarantees. Our evaluation on SPECINT2000 programs shows that it can handle complex binaries such as gcc whereas VSA implementations from the-state-of-art platforms have difficulty producing results for many SPEC binaries. In addition, the dependences reported by BDA are 75 and 6 times smaller than Alto, a scalable binary dependence analysis tool, and VSA, respectively, with only 0.19% of true dependences observed during dynamic execution missed (by BDA). Applying BDA to call graph generation and malware analysis shows that BDA substantially supersedes the commercial tool IDA in recovering indirect call targets and outperforms a state-of-the-art malware analysis tool Cuckoo by disclosing 3 times more hidden payloads.

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Xiaoya Zhu,Junfeng Wang,Zhiyang Fang,Xiaokang Yin,Shengli Liu

DOI: https://doi.org/10.3390/app13010413

2022-01-01

Applied Sciences

Abstract:Third-party library (TPL) reuse may introduce vulnerable or malicious code and expose the software, which exposes them to potential risks. Thus, it is essential to identify third-party dependencies and take immediate corrective action to fix critical vulnerabilities when a damaged reusable component is found or reported. However, most of the existing methods only rely on syntactic features, which results in low recognition accuracy and significantly discounts the detection performance by obfuscation techniques. In addition, a few semantic-based approaches face the efficiency problem. To resolve these problems, we propose and implement a more precise and scalable TPL detection method BBDetector. In addition to syntactic features, we consider the rich function-level semantic features and form a feature vector for each function. Moreover, we design a scalable function vector similarity search method to identify anchor functions and the candidate libraries, based upon which we carry out TPL detection. The experiment results demonstrate that BBDetector outperforms B2SFinder and ModX in terms of effectiveness, efficiency, and obfuscation-resilient capability. For the nix binaries, the F1-score of BBDetector is 1.11% and 11.21% higher than that of ModX and B2SFinder, respectively. Moreover, for the Ubuntu binaries, the F1-score of BBDetector is 1.32% and 14.93% is higher than that of ModX and B2SFinder, respectively. And in terms of efficiency, the detection time of BBDetector is only 30.02% of ModX. Besides, for the obfuscation-resilient capability, BBDetector is much stronger than B2SFinder. BBDetector achieves a F1-score of 71%, slightly lower than the F1-score of 77% achieved with the non-obfuscated binary programs. However, B2SFinder only achieves an F1-score of 28%, much lower than that of 67% achieved with the non-obfuscated binary programs.

Claudio Canella,Mario Werner,Daniel Gruss,Michael Schwarz

DOI: https://doi.org/10.48550/arXiv.2012.02554

2020-12-04

Abstract:Software vulnerabilities in applications undermine the security of applications. By blocking unused functionality, the impact of potential exploits can be reduced. While seccomp provides a solution for filtering syscalls, it requires manual implementation of filter rules for each individual application. Recent work has investigated automated approaches for detecting and installing the necessary filter rules. However, as we show, these approaches make assumptions that are not necessary or require overly time-consuming analysis. In this paper, we propose Chestnut, an automated approach for generating strict syscall filters for Linux userspace applications with lower requirements and limitations. Chestnut comprises two phases, with the first phase consisting of two static components, i.e., a compiler and a binary analyzer, that extract the used syscalls during compilation or in an analysis of the binary. The compiler-based approach of Chestnut is up to factor 73 faster than previous approaches without affecting the accuracy adversely. On the binary analysis level, we demonstrate that the requirement of position-independent binaries of related work is not needed, enlarging the set of applications for which Chestnut is usable. In an optional second phase, Chestnut provides a dynamic refinement tool that allows restricting the set of allowed syscalls further. We demonstrate that Chestnut on average blocks 302 syscalls (86.5%) via the compiler and 288 (82.5%) using the binary-level analysis on a set of 18 widely used applications. We found that Chestnut blocks the dangerous exec syscall in 50% and 77.7% of the tested applications using the compiler- and binary-based approach, respectively. For the tested applications, Chestnut prevents exploitation of more than 62% of the 175 CVEs that target the kernel via syscalls. Finally, we perform a 6 month long-term study of a sandboxed Nginx server.

Cryptography and Security

Jinghao Jia,YiFei Zhu,Dan Williams,Andrea Arcangeli,Claudio Canella,Hubertus Franke,Tobin Feldman-Fitzthum,Dimitrios Skarlatos,Daniel Gruss,Tianyin Xu

DOI: https://doi.org/10.48550/arXiv.2302.10366

2023-02-21

Abstract:System call filtering is a widely used security mechanism for protecting a shared OS kernel against untrusted user applications. However, existing system call filtering techniques either are too expensive due to the context switch overhead imposed by userspace agents, or lack sufficient programmability to express advanced policies. Seccomp, Linux's system call filtering module, is widely used by modern container technologies, mobile apps, and system management services. Despite the adoption of the classic BPF language (cBPF), security policies in Seccomp are mostly limited to static allow lists, primarily because cBPF does not support stateful policies. Consequently, many essential security features cannot be expressed precisely and/or require kernel modifications. In this paper, we present a programmable system call filtering mechanism, which enables more advanced security policies to be expressed by leveraging the extended BPF language (eBPF). More specifically, we create a new Seccomp eBPF program type, exposing, modifying or creating new eBPF helper functions to safely manage filter state, access kernel and user state, and utilize synchronization primitives. Importantly, our system integrates with existing kernel privilege and capability mechanisms, enabling unprivileged users to install advanced filters safely. Our evaluation shows that our eBPF-based filtering can enhance existing policies (e.g., reducing the attack surface of early execution phase by up to 55.4% for temporal specialization), mitigate real-world vulnerabilities, and accelerate filters.

Operating Systems,Cryptography and Security

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

Erzhou Zhu,Feng Liu,Xianyong Fang,Xuejun Li,Yindong Yang,Alei Liang

DOI: https://doi.org/10.4304/jsw.9.3.560-568

2014-01-01

Abstract:Nowadays, applications are usually large-scale, this making tasks of comprehending and debugging software rather complicated. As a dynamic reduction technique for simplifying programs, dynamic program slicing is an effective and important approach for locating and diagnosing software attacks. However, most of the existing dynamic slicing tools perform slicing at the source code level, but the source code of most software is hard to acquire in practice. In order to cope with this issue, a novel lightweight dynamic slicing framework---DYBS, is proposed for diagnosing attacks on x86 binary programs. During the execution, DYBS first gathers the runtime profile information of the target program. Once the attack is encountered and set as the slicing criterion, the normal execution terminates, and a backward program slicing is started to locate the vulnerabilities. Furthermore, a Function Call Filtration optimization mechanism is proposed to improve the performance of the framework. It is proved in the experiments that DYBS can diagnose software attacks with much lower overhead than many other similar analyzing systems.

Deen Zheng,Zhengwei Qi,Alei Liang,Hongbo Yang,Haibing Guan,Liang Liu

DOI: https://doi.org/10.1109/mobhoc.2009.5336911

2009-01-01

Abstract:Dynamic Binary Translation (DBT) is a well known software technology that enables seamless cross-ISA execution. Unfortunately, many malicious programs that may lead to unauthorized access can run easily and unrestrictedly under the DBT system. Because these malicious programs must go through the system call interface to take malicious action, system call interposition has become a widely used technique for intrusion detection and prevention. In this paper, we present HPSCIBit, a solution that efficiently confines malicious applications, supports automatic policy generation and interactive policy generation, intrusion detection and prevention in the DBT system. The experimental result on SPEC2000 CINT benchmarks shows that HPSCIBit is an effective and low overhead solution to the cross-ISA security issues.

Zhenbo Xu,Jian Zhang,Zhongxing Xu,Jiteng Wang

DOI: https://doi.org/10.1145/2610384.2628050

2014-01-01

Abstract:Symbolic analysis is a commonly used approach for static bug finding. It usually performs a precise path-by-path symbolic simulation from program inputs. A major challenge is its scalability and precision on interprocedural analysis. The former limits the application to large programs. The latter may lead to many false alarms. This paper presents a flexible, scalable and practical static bug detection tool, called Canalyze, for C programs. The flexibility is embodied in our modular design that supports different precision-level constraint solvers and interprocedural analyses. Based on these options, one can enable the less precise options to achieve a more scalable analysis or the more time-consuming options to perform a more precise analysis. Our tool is also practical to analyze real-world applications. It has been applied to some industry systems and open source programs like httpd, lighttpd, etc. And hundreds of newly found bugs were confirmed by the maintainers of our benchmarks.

Chang Da,Li Zhou-jun,Yang Tian-fang,Hu Chao-jian

DOI: https://doi.org/10.3969/j.issn.1674-9456.2011.09.009

2011-01-01

Abstract:The differences of system platform,compiler and compilation options are likely to lead semantic differences between source code and executable code,only source code analysis may omit vulnerabilities hidden in executable code.Even source code analysis has verified the nature of the need for security,but yet it can not assure the security nature in the executable code are satisfied not contrary to.This paper designed and implemented a program execution tracer based on dynamic binary instrumentation.The results show our prototype tool can accurately trace in the execution path,and be able to filter out 90% to 99% secondary instructions.At last,this paper discussed other technical solutions,the shortcoming of current prototype tool and the future work.

Ziyi Lin,Jinku Li,Bowen Li,Haoyu Ma,Debin Gao,Jianfeng Ma

DOI: https://doi.org/10.1145/3576915.3623214

2023-01-01

Abstract:Control-Flow Integrity (CFI) is considered a promising solution in thwarting advanced code-reuse attacks. While the problem of backward-edge protection in CFI is nearly closed, effective forwardedge protection is still a major challenge. The keystone of protecting the forward edge is to resolve indirect call targets, which although can be done quite accurately using type-based solutions given the program source code, it faces difficulties when carried out at the binary level. Since the actual type information is unavailable in COTS binaries, type-based indirect call target matching typically resorts to approximate function signatures inferred using the arity and argument width of indirect callsites and calltargets. Doing so with static analysis, therefore, forces the existing solutions to assume the arity/width boundaries in a too-permissive way to defeat sophisticated attacks. In this paper, we propose a novel hybrid approach to recover fine-grained function signatures at the binary level, called TYPESQUEEZER. By observing program behaviors dynamically, TYPESQUEEZER combines the static analysis results on indirect callsites and calltargets together, so that both the lower and the upper bounds of their arity/width can be computed according to a philosophy similar to the squeeze theorem. Moreover, the introduction of dynamic analysis also enables TypeS..eezeR to approximate the actual type of function arguments instead of only representing them using their widths. These together allow TYPESQUEEZER to significantly refine the capability of indirect call target resolving, and generate the approximate CFGs with better accuracy. We have evaluated TYPESQUEEZER on the SPEC CPU2006 benchmarks as well as several real-world applications. The experimental results suggest that TYPESQUEEZER achieves higher type-matching precision compared to existing binary-level type-based solutions. Moreover, we also discuss the intrinsic limitations of static analysis and show that it is not enough in defeating certain type of practical attacks; while on the other hand, the same attacks can be successfully thwarted with the hybrid analysis result of our approach.

Lixin Li,Chao Wang

DOI: https://doi.org/10.1007/978-3-642-40787-1_31

2013-01-01

Abstract:Dynamic analysis techniques have made a significant impact in security practice, e.g. by automating some of the most tedious processes in detecting vulnerabilities. However, a significant gap remains between existing software tools and what many security applications demand. In this paper, we present our work on developing a cross-platform interactive analysis tool, which leverages techniques such as symbolic execution and taint tracking to analyze binary code on a range of platforms. The tool builds upon IDA, a popular reverse engineering platform, and provides a unified analysis engine to handle various instruction sets and operating systems. We have evaluated the tool on a set of real-world applications and shown that it can help identify the root causes of security vulnerabilities quickly.

Ping Chen,Hao Han,Yi Wang,Xiaobin Shen,Xinchun Yin,Bing Mao,Li Xie

DOI: https://doi.org/10.1007/978-3-642-11145-7_26

2009-01-01

Abstract:Recently, Integer bugs have been increasing sharply and become the notorious source of bugs for various serious attacks. In this paper, we propose a tool, IntFinder, which can automatically detect Integer bugs in a x86 binary program. We implement IntFinder based on a combination of static and dynamic analysis. First, IntFinder decompiles a x86 binary code, and creates the suspect instruction set. Second, IntFinder dynamically inspects the instructions in the suspect set and confirms which instructions are actual Integer bugs with the error-prone input. Compared with other approaches, IntFinder provides more accurate and sufficient type information and reduces the instructions which will be inspected by static analysis. Experimental results are quite encouraging: IntFinder has detected the integer bugs in several practical programs as well as one new bug in slocate-2.7, and it achieves a low false positives and negatives.