Mingwei Zhang
ABSTRACT
Program instrumentation techniques form the basis of many recent software security defenses, including defenses against common exploits and security policy enforcement. As compared to source-code instrumentation, binary instrumentation is easier to use and more broadly applicable due to the ready availability of binary code. Two key features needed for security instrumentations are (a) it should be applied to all application code, including code contained in various system and application libraries, and (b) it should be non-bypassable. So far, dynamic binary instrumentation (DBI) techniques have provided these features, whereas static binary instrumentation (SBI) techniques have lacked them. These features, combined with ease of use, have made DBI the de facto choice for security instrumentations. However, DBI techniques can incur high overheads in several common usage scenarios, such as application startups, system-calls, and many real-world applications. We therefore develop a new platform for secure static binary instrumentation (PSI) that overcomes these drawbacks of DBI techniques, while retaining the security, robustness and ease-of-use features. We illustrate the versatility of PSI by developing several instrumentation applications: basic block counting, shadow stack defense against control-flow hijack and return-oriented programming attacks, and system call and library policy enforcement. While being competitive with the best DBI tools on CPU-intensive SPEC 2006 benchmark, PSI provides an order of magnitude reduction in overheads on a collection of real-world applications.
- Lmbench tool for performance analysis. http://lmbench.sourceforge.net/.Google Scholar
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control- flow integrity principles, implementations, and applications. ACM TISSEC, 2009. Google ScholarDigital Library
- K. Anand, M. Smithson, A. Kotha, K. Elwazeer, and R. Barua. Decompilation to compiler high IR in a binary rewriter. Technical report, University of Maryland, 2010.Google Scholar
- K. Anand, M. Smithson, K. Elwazeer, A. Kotha, and J. Gruen et al. A compiler-level intermediate representation based binary analysis and rewriting system. In EuroSys, 2013. Google ScholarDigital Library
- T. Avgerinos, S. K. Cha, A. Rebert, E. J. Schwartz, and M. Woo et al. AEG: automatic exploit generation. In NDSS, 2011.Google Scholar
- T. Bletsch, X. Jiang, and V. Freeh. Mitigating code-reuse attacks with control-flow locking. In ACSAC, 2011. Google ScholarDigital Library
- E. Borin, C. Wang, Y. Wu, and G. Araujo. Software-based transparent and comprehensive control-flow error detection. In CGO, 2006. Google ScholarDigital Library
- D. Bruening. Efficient, transparent, and comprehensive run- time code manipulation. PhD thesis, 2004. Google ScholarDigital Library
- D. Brumley, I. Jager, T. Avgerinos, and E. Schwartz. BAP: a binary analysis platform. In CAV, 2011. Google ScholarDigital Library
- B. Buck and J. Hollingsworth. An API for runtime code patching. Int. J. High Perform. Comput. Appl., 2000. Google ScholarDigital Library
- P. Chen, H. Xiao, X. Shen, X. Yin, and B. Mao et al. DROP: detecting return-oriented programming malicious code. In ICISS, 2009. Google ScholarDigital Library
- L. Davi, A.-R. Sadeghi, and M. Winandy. ROPdefender: a detection tool to defend against return-oriented programming attacks. In ASIACCS, 2011. Google ScholarDigital Library
- K. ElWazeer, K. Anand, A. Kotha, M. Smithson, and R. Barua. Scalable variable and data type detection in a binary rewriter. In PLDI, 2013. Google ScholarDigital Library
- U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula. XFI: software guards for system address spaces. In OSDI, 2006. Google ScholarDigital Library
- B. Ford and R. Cox. Vx32: lightweight user-level sandboxing on the x86. In USENIX ATC, 2008. Google ScholarDigital Library
- J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. Davidson. ILR: where'd my gadgets go? In S&P, 2012. Google ScholarDigital Library
- V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure exe- cution via program shepherding. In USENIX Security, 2002. Google ScholarDigital Library
- M. Laurenzano, M. Tikir, L. Carrington, and A. Snavely. PEBIL: efficient static binary instrumentation for Linux. InIEEE International Symposium on Performance Analysis of Systems Software (ISPASS), 2010.Google ScholarCross Ref
- C.-K. Luk, R. Cohn, R. Muth, H. Patil, and A. Klauser et al. Pin: building customized program analysis tools with dynamic instrumentation. In PLDI, 2005. Google ScholarDigital Library
- S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. USENIX Security, 2006. Google ScholarDigital Library
- S. Nanda, W. Li, L.-C. Lam, and T.-c. Chiueh. BIRD: binary interpretation using runtime disassembly. In CGO, 2006. Google ScholarDigital Library
- N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In PLDI, 2007. Google ScholarDigital Library
- J. Newsome. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS, 2005.Google Scholar
- K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, andE. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In ACSAC, 2010. Google ScholarDigital Library
- V. Pappas, M. Polychronakis, and A. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in- place code randomization. In S&P, 2012. Google ScholarDigital Library
- M. Payer and T. Gross. Fine-grained user-space security through virtualization. In VEE, 2011. Google ScholarDigital Library
- M. Prasad and T.-c. Chiueh. A binary rewriting defense against stack based overflow attacks. In USENIX ATC, 2003.Google Scholar
- F. Qin, C. Wang, Z. Li, H.-s. Kim, and Y. Zhou et al. LIFT: a low-overhead practical information flow tracking system for detecting security attacks. In MICRO, 2006. Google ScholarDigital Library
- P. Saxena, R. Sekar, and V. Puranik. Efficient fine-grained binary instrumentation with applications to taint-tracking. In CGO, 2008. Google ScholarDigital Library
- K. Scott, N. Kumar, S. Velusamy, B. Childers, and J. Davidson et al. Retargetable and reconfigurable software dynamic translation. In CGO, 2003. Google ScholarDigital Library
- D. Song, D. Brumley, H. Yin, J. Caballero, and I. Jager et al. BitBlaze: a new approach to computer security via binary analysis. In ICISS, 2008. Google ScholarDigital Library
- R. Wahbe, S. Lucco, T. Anderson, and S. Graham. Efficient software-based fault isolation. In SOSP, 1993. Google ScholarDigital Library
- R. Wartell, V. Mohan, K. Hamlen, and Z. Lin. Securing untrusted code via compiler-agnostic binary rewriting. In ACSAC, 2012. Google ScholarDigital Library
- R. Wartell, V. Mohan, K. Hamlen, and Z. Lin. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In CCS, 2012. Google ScholarDigital Library
- B. Yee, D. Sehr, G. Dardyk, J. B. Chen, and R. Muth et al. Native Client: a sandbox for portable, untrusted x86 native code. In S&P, 2009. Google ScholarDigital Library
- C. Zhang, T. Wei, Z. Chen, L. Duan, and S. McCamant et al. Protecting function pointers in binary. In ASIACCS, 2013. Google ScholarDigital Library
- C. Zhang, T. Wei, Z. Chen, L. Duan, and L. Szekeres et al. Practical control flow integrity & randomization for binary executables. In S&P, 2013. Google ScholarDigital Library
- M. Zhang and R. Sekar. Control flow integrity for COTS binaries. In USENIX Security, 2013 Google ScholarDigital Library
Index Terms
- A platform for secure static binary instrumentation
Recommendations
Anywhere, any-time binary instrumentation
PASTE '11: Proceedings of the 10th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software toolsThe Dyninst binary instrumentation and analysis framework distinguishes itself from other binary instrumentation tools through its abstract, machine independent interface; its emphasis on anywhere, any-time binary instrumentation; and its low overhead ...
A platform for secure static binary instrumentation
VEE '14Program instrumentation techniques form the basis of many recent software security defenses, including defenses against common exploits and security policy enforcement. As compared to source-code instrumentation, binary instrumentation is easier to use ...
Binary Code Retrofitting and Hardening Using SGX
FEAST '17: Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software TransformationTrusted Execution Environment (TEE) is designed to deliver a safe execution environment for software systems. Intel Software Guard Extensions (SGX) provides isolated memory regions (i.e., SGX enclaves) to protect code and data from adversaries in the ...
Comments