More Web Proxy on the site http://driver.im/

Article

Is less really more? towards better metrics for measuring security improvements realized through software debloating

Authors:

Michael D. Brown,

Santosh PandeAuthors Info & Claims

CSET'19: Proceedings of the 12th USENIX Conference on Cyber Security Experimentation and Test

Page 5

Published: 12 August 2019 Publication History

Abstract

Nearly all modern software suffers from bloat that negatively impacts its performance and security. To combat this problem, several automated techniques have been proposed to debloat software. A key metric used in these works to demonstrate improved security is code reuse gadget count reduction. The use of this metric is based on the prevailing idea that reducing the number of gadgets available in a software package reduces its attack surface and makes mounting a gadgetbased code reuse exploit such as return-oriented programming (ROP) more difficult for an attacker.

In this paper, we challenge this idea and show through a variety of realistic debloating scenarios the flaws inherent to the gadget count reduction metric. Specifically, we demonstrate that software debloating can achieve high gadget count reduction rates, yet fail to limit an attacker's ability to construct an exploit. Worse yet, in some scenarios high gadget count reduction rates conceal instances in which software debloating makes security worse by introducing new quality gadgets.

To address these issues, we propose new metrics based on quality rather than quantity for assessing the security impact of software debloating. We show that these metrics can be efficiently calculated with our Gadget Set Analyzer tool. Finally, we demonstrate the utility of these metrics through a realistic debloating case study.

References

[1]

QUACH, A., ERINFOLAMI, R., DEMICCO, D., AND PRAKASH, A. A multi-OS cross-layer study of bloating in user programs, kernel, and managed execution environments. In The 2017 Workshop on Forming an Ecosystem Around Software Transformation (FEAST) (2017).

Digital Library

[2]

CHEN, Y., SUN, S., LAN, T., AND VENKATARAMANI, G. TOSS: Tailoring online server systems through binary feature customization. In The 2018 Workshop on Forming an Ecosystem Around Software Transformation (FEAST) (2018).

Digital Library

[3]

LEE, W., HEO, K., PASHAKHANLOO, P., AND NAIK, M. Effective Program Debloating via Reinforcement Learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS) (2018).

Digital Library

[4]

SHARIF, H., ABUBAKAR, M., GEHANI, A., AND ZAFFAR, F. TRIMMER: Application specialization for code debloating. In Proceedings of the 2018 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE) (2018).

Digital Library

[5]

QUACH, A., PRAKASH, A., AND YAN, L. Debloating software through piece-wise compilation and loading. In Proceedings of the 27th USENIX Security Symposium (2018).

Digital Library

[6]

XU, G., MITCHELL, N., ARNOLD, M., ROUNTEV, A., AND SEVITSKY, G. Software bloat analysis: finding, removing, and preventing performance problems in modern large-scale object-oriented applications. In Proceedings of the FSE/DSP workshop on Future of Software Engineering Research (FoSER) (2010).

Digital Library

[7]

SHACHAM, H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In Proceedings of 14th ACM conference on Computer and Communications Security (CCS) (2007).

Digital Library

[8]

Bletsch, T., Jiang, X., Freeh, V.W., and Liang, Z. Jumporiented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2011).

Digital Library

[9]

SADEGHI, A., NIKSEFAT, S. AND ROSTAMIPOUR, M. Purecall oriented programming (PCOP): chaining the gadgets using call instructions. In the Journal of Computer Virology and Hacking Techniques (2018).

[10]

SCHWARTZ, E. J., AVGERINOS, T., AND BRUMLEY, D. Q: exploit hardening made easy. In Proceedings of the 20th USENIX security symposium (2011).

Digital Library

[11]

ROEMER, R. G. Finding the bad in good code: automated return-oriented programming exploit discovery. Master's Thesis, University of California (2009).

[12]

HOMESCU, A., STEWART, M., LARSEN, P., BRUNTHALER, S., AND FRANZ, M. Microgadgets: size does matter in turing-complete return-oriented programming. In Proceedings of the 6th USENIX conference on offensive technologies (WOOT) (2012).

Digital Library

[13]

ZOVI, D. D. Practical return-oriented programming. SOURCE Boston, 2010. https://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf.

[14]

SALWAN, J. ROPgadget: Gadgets finder and auto-roper, 2011. http://shell-storm.org/project/ROPgadget/

[15]

ABADI, M., BUDIU, M., ERLINGSSON, U., AND LIGATTI, J. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and Communications Security (CCS) (2005).

Digital Library

[16]

ASPIRE PROJECT. CHISEL: A System for Debloating C/C++ Programs, 2019. http://github.com/aspire-project/Chisel

[17]

ASPIRE PROJECT. ChiselBench, 2019. https://github.com/aspire-project/ChiselBench

[18]

FOLLNER, A., BARTEL, A., AND BODDEN, E. Analyzing the gadgets: towards a metric to measure gadget quality. In Proceedings of the International symposium on Engineering Secure Software and Systems (ESSoS) (2016).

Digital Library

[19]

SHOSHITAISHVILI, Y., WANG, R., SALLS, C, STEPHENS, N., POLINO, M., DUTCHER, A., GROSEN, J., FENG, S., HAUSER, C., KRUEGEL, C., AND VIGNA, G. (State of) The art of war: Offensive techniques in binary analysis. In Proceedings of the IEEE Symposium on Security and Privacy (2016).

[20]

BROWN, M. D., AND PANDE, S. CARVE: Practical security-focused software debloating using simple feature set mappings. arXiv:1907.02180 [cs.CR] (2019).

[21]

CHECKOWAY, S., DAVI, L., DMITRIENKO, A., SADEGHI, A., SHACHAM, H., AND WINANDY, M. Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS) (2010).

Digital Library

[22]

BHATTACHARYA, S., RAJAMANI, K., GOPINATH, K., AND GUPTA, M. The interplay of software bloat, hardware energy proportionality and system bottlenecks. In Proceedings of the 4th workshop on power-aware computing and systems (HotPower) (2011).

Digital Library

Cited By

Brown MMeily AFairservice BSood ADorn JBits TEytchison RBalzarotti DXu W(2024)A broad comparative evaluation of software debloating toolsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699120(3927-3943)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699120
Zhang HAlhanahnah MAhmed FFatih DLeitner PAli-Eldin A(2024)Machine Learning Systems are Bloated and VulnerableProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36390328:1(1-30)Online publication date: 21-Feb-2024
https://dl.acm.org/doi/10.1145/3639032
Ghavamnia SPalit TPolychronakis MYin HStavrou ACremers CShi E(2022)C2CProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3559366(1243-1257)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3559366
Show More Cited By

Recommendations

Towards security metrics-supported IP traceback
ECSAW '16: Proccedings of the 10th European Conference on Software Architecture Workshops

The threat of DDOS and other cyberattacks has increased during the last decade. In addition to the radical increase in the number of attacks, they are also becoming more sophisticated with the targets ranging from ordinary users to service providers and ...
Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE)
QEST '11: Proceedings of the 2011 Eighth International Conference on Quantitative Evaluation of SysTems

System architects need quantitative security metrics to make informed trade-off decisions involving system security. The security metrics need to provide insight on weak points in the system defense, considering characteristics of both the system and ...
Low-level software security: exploiting memory safety vulnerabilities and assumptions

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

CSET'19: Proceedings of the 12th USENIX Conference on Cyber Security Experimentation and Test

August 2019

19 pages

Program Chairs:
Rob Jansen
U.S. Naval Research Laboratory
,
Peter A. H. Peterson
University of Minnesota Duluth

Publisher

USENIX Association

United States

Publication History

Published: 12 August 2019

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Brown MMeily AFairservice BSood ADorn JBits TEytchison RBalzarotti DXu W(2024)A broad comparative evaluation of software debloating toolsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699120(3927-3943)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699120
Zhang HAlhanahnah MAhmed FFatih DLeitner PAli-Eldin A(2024)Machine Learning Systems are Bloated and VulnerableProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36390328:1(1-30)Online publication date: 21-Feb-2024
https://dl.acm.org/doi/10.1145/3639032
Ghavamnia SPalit TPolychronakis MYin HStavrou ACremers CShi E(2022)C2CProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3559366(1243-1257)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3559366
El-Rewini ZAafer YKim YKim JVigna GShi E(2021)Dissecting Residual APIs in Custom Android ROMsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3485374(1598-1611)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3485374

View Options

View options

Figures

Tables

Media

View Table of Conten