Input-driven Dynamic Program Debloating for Code-reuse Attack Mitigation
Modern software is bloated, especially for libraries. The unnecessary code not only brings severe vulnerabilities, but also assists attackers to construct exploits. To mitigate the damage of bloated libraries, researchers have proposed several debloating techniques to remove or restrict the invocation of unused code in a library. However, existing approaches either statically keep code for all expected inputs, which leave unused code for each concrete input, or rely on runtime context to dynamically determine the necessary code, which could be manipulated by attackers.
In this paper, we propose Picup, a practical approach that dynamically customizes libraries for each input. Based on the observation that the behavior of a program mainly depends on the given input, we design Picup to predict the necessary library functions immediately after we get the input, which erases the unused code before attackers can affect the decision-making data. To achieve an effective prediction, we adopt a convolutional neural network (CNN) with attention mechanism to extract key bytes from the input and map them to library functions. We evaluate Picup on real-world benchmarks and popular applications. The results show that we can predict the necessary library functions with 97.56% accuracy, and reduce the code size by 87.55% on average with low overheads. These results indicate that Picup is a practical solution for secure and effective library debloating.
Wed 6 DecDisplayed time zone: Pacific Time (US & Canada) change
14:00 - 15:30 | Security IResearch Papers / Demonstrations / Journal First at Golden Gate C3 Chair(s): Abhik Roychoudhury National University of Singapore | ||
14:00 15mTalk | Can the configuration of static analyses make resolving security vulnerabilities more effective? - A user study Journal First Goran Piskachev Amazon Web Services, Matthias Becker Fraunhofer IEM, Eric Bodden University of Paderborn Media Attached | ||
14:15 15mTalk | Software Composition Analysis for Vulnerability Detection: An Empirical Study on Java Projects Research Papers Lida Zhao Singapore Management University, Singapore, Sen Chen College of Intelligence and Computing, Tianjin University, Zhengzi Xu Nanyang Technological University, Chengwei Liu Nanyang Technological University, Lyuye Zhang Nanyang Technological University, Wu Jiahui Nanyang Technological University, Jun Sun Singapore Management University, Yang Liu Nanyang Technological University Media Attached | ||
14:30 15mTalk | Input-driven Dynamic Program Debloating for Code-reuse Attack Mitigation Research Papers Xiaoke Wang Wuhan University, Tao Hui Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Lei Zhao Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Yueqiang Cheng NIO DOI Pre-print Media Attached | ||
14:45 7mTalk | MASC: A Tool for Mutation-based Evaluation of Static Crypto-API Misuse Detectors Demonstrations Amit Seal Ami William & Mary, Syed Yusuf Ahmed University of Dhaka, Radowan Mahmud Redoy University of Dhaka, Nathan Cooper William & Mary, Kaushal Kafle College of William & Mary, Kevin Moran University of Central Florida, Denys Poshyvanyk William & Mary, Adwait Nadkarni William & Mary Media Attached | ||
14:53 7mTalk | [Remote] llvm2CryptoLine: Verifying Arithmetic in Cryptographic C Programs Demonstrations Ruiling Chen Shenzhen University, Jiaxiang Liu Shenzhen University, Xiaomu Shi Institute of Software, Chinese Academy of Sciences, Ming-Hsien Tsai National Institute of Cyber Security, Bow-Yaw Wang , Bo-Yin Yang Academia Sinica Media Attached | ||
15:00 15mTalk | [Remote] Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java Research Papers Kaixuan Li East China Normal University, Sen Chen College of Intelligence and Computing, Tianjin University, Lingling Fan College of Cyber Science, Nankai University, Ruitao Feng University of New South Wales, Han Liu East China Normal University, Chengwei Liu Nanyang Technological University, Yang Liu Nanyang Technological University, Yixiang Chen East China Normal University Pre-print Media Attached | ||
15:15 15mTalk | [Remote] TransRacer: Function Dependence-Guided Transaction Race Detection for Smart Contracts Research Papers Chenyang Ma Nanjing University of Science and Technology, Wei Song Nanjing University of Science and Technology, Jeff Huang Texas A&M University DOI Pre-print Media Attached |