Originally published by the High Confidence Software and Systems Conference
High Confidence Software and Systems Conference, Annapolis, MD, May 2012
Authors:
David Melski
Abstract:
We describe the results of the first phase in the development of PEASOUP, a technology that enables the safe execution of software executables of uncertain provenance. PEASOUP (Preventing Exploits Against Software of Uncertain Provenance) prevents exploits of number-handling weaknesses and memory-safety weaknesses in Software of Uncertain Provenance (SOUP). In addition, PEASOUP prevents any exploit based on arc-injection or code-injection, regardless of the type of vulnerability targeted for attack. PEASOUP advanced the state-of-the-art in automatic program analysis, diversification, confinement, and remediation. PEASOUP is joint work of GrammaTech, the University of Virginia, the Georgia Institute of Technology, and Raytheon.
Analysis. The PEASOUP analyzer uses a novel combination of precise run-time analyses [40] with recent techniques for generating high-coverage test suites [19, 39]. The analyzer has the following components: test-case generation, input classification, intermediate representation recovery, variant generation, and variant validation.
Diversification. During Phase I, we developed a novel diversification technique called Instruction-Layout Randomization (ILR) that works by relocating 99.7% of the instructions in a program. Many approaches to diversification suffer from low-entropy or complicated estimates of the measure of introduced entropy based on assumptions that may not hold for some executables. ILR advances the state of the art in program diversification because it does not suffer from these shortcomings: it is simple to show that 99.7% of instructions can be relocated to any one of 231 addresses (on a 32-bit machine). This represents 3.5 orders of magnitude improvement over some of the most common, successful diversification techniques. ILR makes any type of arc-injection attack infeasible, including attacks based on Return-Oriented Programming (ROP). Furthermore, ILR still has the desirable properties of existing diversification techniques: it has low overhead and is easy to deploy.
In addition to ILR, we demonstrated that PEASOUP can safely perform Stack-Layout Randomization (SLR) on software binaries. Previous approaches to randomizing the layout of the stack required access to a program’s source code
Confinement. Both ILR and SLR demonstrate the power of PEASOUP’s analysis phase to recover high-quality IR. In fact ILR and SLR demonstrate that it is possible to implement confinement techniques such as control-flow integrity and stack-canaries directly on binaries. Previous binary analysis techniques were not adequate for these purposes.
Phase I also demonstrated that it is possible to combine Software Dynamic Transaltion with Secure In-VM Monitoring (SIM). SDT provides PEASOUP with the ability to implement fine-grained security policies. However, the translator itself could be subject to attack. SIM solves this short-coming by using hard-ware memory protection to ensure that the translator is not compromised. We believe that this represents an advance in the provable security guarantees that can be made for a fine-grained policy enforcement technique.
Remediation. Finally, PEASOUP demonstrated advances in the state-of-the-art for automatic program remediation during the independent evaluation of the Phase I prototype. Specifically, the padding introduced by PEASOUP’s diversification techniques allowed real-world applications (bzip2, ngircd) to continue correct execution when they were provided malicious inputs.
This work is sponsored by Air Force Research Laboratories (contract #FA8650-10-C-7025).