Title: Compiler-assisted Runtime Techniques for Software Debloating

Chris Porter

Ph.D. student

School of Computer Science

Georgia Institute of Technology

Date: Monday, November 28, 2022

Time: 3:00 pm - 5:00 pm

Location: Klaus conference room 3100, zoom

Committee:

Dr. Santosh Pande (advisor), School of Computer Science, Georgia Institute of Technology

Dr. Alex Orso, School of Computer Science, Georgia Institute of Technology

Dr. Vivek Sarkar, School of Computer Science, Georgia Institute of Technology

Dr. Qirun Zhang, School of Computational Science and Engineering, Georgia Institute of Technology

Abstract:

Modern code reuse attacks take full advantage of bloated software. Attackers piece together short sequences of instructions in otherwise benign code to carry out malicious actions. Eliminating these reusable code snippets, known as gadgets, has become one of the prime focuses of attack surface reduction research. The aim is to break these chains of gadgets, thereby making such code reuse attacks impossible or substantially less common. Recent work on attack surface reduction has typically tried to eliminate such attacks by subsetting the application, e.g. via user-specified inputs, configurations, or features to achieve high gadget reductions. However, such techniques suffer from the limitations of soundness, i.e. the software might crash during no-attack executions on regular inputs, or they may be conservative and leave a large amount of attack surface untackled.

This proposal includes two novel works that attempt to address these shortcomings. They are fully sound and obtain strong gadget reduction. In the first work, BlankIt, we target library code and achieve ~97% code reduction. In particular, we are able to debloat GNU libc, which is notorious for housing gadgets for code reuse attacks. BlankIt works by predicting the set of library functions expected to execute at library call sites; then it enables those functions just before use and disables them after returning. Mispredictions trigger an alarm and are handled gracefully without crashes. In our second work, Decker, we target application code and achieve ~70% code reduction. The percentage reduction is similar to prior art but without sacrificing soundness (i.e. it does not crash or produce incorrect output). Decker works by instrumenting the program at compile-time at key points to enable and disable code pages; then at runtime, the framework executes these permission-mapping calls with minimal overhead (~5%).

As part of the proposed work, we will also show how to augment the whole-application technique with an accurate predictor to further reduce the potential attack surface. Using a predictive model in application code comes with several challenges not present when handling libraries. These include how to choose prediction points across the full callgraph, and how to perturb the application code as little as possible.